CVE-2026-47205
Undergoing Analysis Undergoing Analysis - In Progress
Use-After-Free in Envoy Proxy

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-47205
EUVD
EUVD-2026-39828
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
envoyproxy envoy From 1.36.0 (inc) to 1.36.9 (inc)
envoyproxy envoy to 1.37.5 (inc)
envoyproxy envoy to 1.38.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes a denial of service (DoS) through a Use-After-Free (UAF) condition leading to process crashes in Envoy's ext_authz HTTP filter. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not result in unauthorized data access or modification, it does not directly compromise data protection requirements under standards like GDPR or HIPAA. However, the availability impact could affect service reliability, which may indirectly influence compliance if critical services are disrupted.

Executive Summary

This vulnerability is a Use-After-Free (UAF) issue in Envoy's ext_authz HTTP filter. It happens when Envoy processes per-route authorization overrides at the same time as rapid downstream client disconnects. The problem arises because the filter improperly manages memory by overwriting a default authorization client pointer with a temporary one and then destroying it too early during stream teardown. This causes asynchronous authorization callbacks to access memory that has already been freed, leading to a crash of the Envoy process.

Impact Analysis

The vulnerability can cause a data-plane crash or denial of service (DoS) in Envoy. This means that the proxy service could suddenly stop working or become unavailable when the conditions for the vulnerability are met, such as using per-route authorization overrides combined with rapid client connections and disconnections. This impacts the availability of services relying on Envoy but does not affect confidentiality or integrity.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in Envoy's data plane, especially when using per-route authorization overrides combined with rapid downstream client disconnects. Detection involves observing Envoy logs for sudden process crashes or denial of service symptoms triggered by the ext_authz HTTP filter.

Since the issue arises from rapid client connections and disconnections on routes with per-route service overrides, you can simulate or monitor such traffic patterns to identify if the vulnerability is being triggered.

Specific commands are not provided in the resources, but general approaches include:

  • Checking Envoy logs for segmentation faults or crash reports related to ext_authz filter.
  • Using system tools like `dmesg` or `journalctl` to find kernel or service crash messages.
  • Monitoring network traffic for rapid connect/disconnect patterns on routes with per-route authorization overrides.
Mitigation Strategies

Immediate mitigation steps include upgrading Envoy to a fixed version: 1.36.9, 1.37.5, or 1.38.3, where the vulnerability has been patched.

If upgrading is not immediately possible, temporary workarounds include:

  • Avoid using per-route authorization service overrides.
  • Disable or limit volatile WebSocket channels that cause rapid client connect/disconnect cycles.

These steps help preserve the default client's memory lifecycle and prevent the race condition causing the Use-After-Free crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart