CVE-2026-48042
Received Received - Intake
Stack Overflow in Envoy Proxy via Deeply Nested JSON Objects

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-48042
EUVD
EUVD-2026-39819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envoyproxy envoy From 1.18 (inc) to 1.39 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1124 The code contains a callable or other code grouping in which the nesting / branching is too deep.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48042 is a stack overflow vulnerability in the Envoy Proxy project affecting versions 1.18 to 1.39. The issue occurs when deeply nested JSON objects, around 100,000 levels deep, are parsed using the `loadFromString` method.

While the JSON parsing itself succeeds, the destructor of the resulting JSON object graph triggers a recursive stack overflow during cleanup, causing a segmentation fault.

This vulnerability impacts any filters using `loadFromString` on the hot path, including the McpRouter and JsonToMetadata filters.

Mitigation is possible by setting lower buffer limits to prevent such deeply nested JSON.

Impact Analysis

This vulnerability can lead to a complete loss of availability of the Envoy Proxy service.

Because the stack overflow occurs during the destruction of deeply nested JSON objects, it causes a segmentation fault that crashes the process.

The vulnerability does not require any privileges or user interaction to be exploited, making it easier for attackers to cause denial of service.

Detection Guidance

This vulnerability occurs when Envoy Proxy parses deeply nested JSON objects (around 100,000 levels) using the loadFromString method, leading to a stack overflow during the destructor call. Detection can focus on monitoring for segmentation faults or crashes in Envoy instances, especially those using filters like McpRouter and JsonToMetadata that utilize loadFromString on the hot path.

You can detect potential exploitation by checking Envoy logs for crashes or segmentation faults related to JSON parsing. Additionally, monitoring for unusually large or deeply nested JSON payloads in traffic passing through Envoy may help identify attempts to trigger this vulnerability.

While no specific commands are provided in the resources, general commands to check Envoy process crashes and logs include:

  • Check Envoy logs for errors or crashes: `journalctl -u envoy` or `cat /var/log/envoy/envoy.log`
  • Monitor for segmentation faults in Envoy processes: `dmesg | grep envoy` or `grep -i segfault /var/log/syslog`
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze JSON payloads passing through Envoy for unusually deep nesting or large size.
Mitigation Strategies

Immediate mitigation involves upgrading Envoy Proxy to one of the fixed versions: 1.35.11, 1.36.7, 1.37.3, or 1.38.1.

If upgrading is not immediately possible, you can mitigate the vulnerability by configuring Envoy to set lower buffer limits to prevent processing of deeply nested JSON objects that could trigger the stack overflow.

Additionally, consider restricting or validating incoming JSON payloads to avoid deeply nested structures and monitor Envoy for crashes or abnormal behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart