CVE-2026-48044
Received Received - Intake
Memory Exhaustion in Envoy Proxy via Zstd Decompression

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-48044
EUVD
EUVD-2026-39820
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
envoyproxy envoy From 1.23.0 (inc) to 1.38.1 (inc)
envoyproxy envoy 1.35.11
envoyproxy envoy 1.36.7
envoyproxy envoy 1.37.3
envoyproxy envoy 1.38.1
envoyproxy envoy 1.35.13
envoyproxy envoy 1.36.9
envoyproxy envoy 1.37.5
envoyproxy envoy 1.38.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48044 is a vulnerability in Envoy's Zstd decompressor implementation. When enabled, processing a specially crafted, highly compressed Zstd payload can cause the decompressor to allocate massive amounts of memory. This happens because the MaxInflateRatio limit check is incorrectly placed outside the inner decompression loop, allowing a small payload to expand excessively before the safeguard triggers.

As a result, this flaw can lead to severe memory exhaustion, potentially causing an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy.

Impact Analysis

This vulnerability can impact you by causing severe memory exhaustion on systems running vulnerable versions of Envoy when processing maliciously crafted Zstd compressed payloads.

The excessive memory allocation can lead to an Out-Of-Memory (OOM) kill, resulting in a Denial of Service (DoS) condition where the Envoy proxy becomes unavailable or crashes.

No privileges or user interaction are required to exploit this vulnerability, making it easier for attackers to cause disruption.

Detection Guidance

Detection of this vulnerability involves identifying if your Envoy proxy is running a vulnerable version (from 1.23.0 up to versions before 1.35.13, 1.36.9, 1.37.5, and 1.38.3) and if the Zstd decompressor is enabled.

You can check the Envoy version by running the command:

  • envoy --version

To detect if Zstd decompression is enabled, review your Envoy configuration files for any references to the Zstd decompressor.

Additionally, monitoring for unusually high memory usage or Out-Of-Memory (OOM) kills related to Envoy processes can indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Envoy to a patched version: 1.35.13, 1.36.9, 1.37.5, or 1.38.3 or later.
  • If upgrading is not immediately possible, disable the Zstd decompressor in your Envoy configuration.
  • Alternatively, switch to unaffected decompression methods such as Gzip or Brotli.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart