CVE-2026-47204
Modified
Modified - Updated After Analysis
Null Pointer Dereference in Envoy Proxy via gRPC-Connect Protocol
Vulnerability report for CVE-2026-47204, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-26
Last updated on: 2026-06-29
Assigner: GitHub, Inc.
Description
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | From 1.37.0 (inc) to 1.37.5 (exc) |
| envoyproxy | envoy | From 1.38.0 (inc) to 1.38.3 (exc) |
| envoyproxy | envoy | From 1.36.0 (inc) to 1.36.9 (exc) |
| envoyproxy | envoy | From 1.26.0 (inc) to 1.35.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |