CVE-2026-47204
Received Received - Intake
Null Pointer Dereference in Envoy Proxy via gRPC-Connect Protocol

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-47204
EUVD
EUVD-2026-39824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envoyproxy envoy From 1.26.0 (inc) to 1.38.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47204 is a vulnerability in Envoy Proxy where the grpc_stats filter crashes with a segmentation fault when processing Connect protocol requests (Content-Type: application/connect+proto or application/connect+json) that target direct_response routes.

The issue occurs because the filter attempts to dereference a null pointer for the upstream cluster, which does not exist for direct_response routes.

This can be triggered by a single unauthenticated HTTP request, causing the entire Envoy process to crash.

The vulnerability affects Envoy versions between 1.26 and 1.38.0 and has been patched in versions 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Impact Analysis

This vulnerability can cause the Envoy process to crash due to a segmentation fault triggered by a single unauthenticated HTTP request.

The impact is a high availability disruption, as the Envoy proxy service will become unavailable until it is restarted or recovered.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in the Envoy process, especially when handling HTTP requests with the Content-Type header set to application/connect+proto or application/connect+json targeting direct_response routes.

To detect attempts to exploit this vulnerability, you can inspect network traffic or logs for unauthenticated HTTP requests with these specific Content-Type headers hitting direct_response routes.

While no specific commands are provided in the resources, you can use tools like tcpdump or Wireshark to filter HTTP requests with these headers, for example:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Content-Type: application/connect'

Additionally, monitoring Envoy logs for crashes or segfaults can help identify if the vulnerability is being triggered.

Mitigation Strategies

The immediate mitigation step is to upgrade Envoy to a fixed version where this vulnerability is patched.

  • Upgrade to Envoy version 1.35.13, 1.36.9, 1.37.5, or 1.38.3 or later.

Until the upgrade can be performed, consider restricting or filtering unauthenticated HTTP requests with Content-Type headers application/connect+proto or application/connect+json targeting direct_response routes to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart