CVE-2026-48044
Analyzed Analyzed - Analysis Complete

Memory Exhaustion in Envoy Proxy via Zstd Decompression

Vulnerability report for CVE-2026-48044, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
envoyproxy envoy From 1.37.0 (inc) to 1.37.5 (exc)
envoyproxy envoy From 1.38.0 (inc) to 1.38.3 (exc)
envoyproxy envoy From 1.36.0 (inc) to 1.36.9 (exc)
envoyproxy envoy From 1.23.0 (inc) to 1.35.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48044 is a vulnerability in Envoy's Zstd decompressor implementation. When enabled, processing a specially crafted, highly compressed Zstd payload can cause the decompressor to allocate massive amounts of memory. This happens because the MaxInflateRatio limit check is incorrectly placed outside the inner decompression loop, allowing a small payload to expand excessively before the safeguard triggers.

As a result, this flaw can lead to severe memory exhaustion, potentially causing an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy.

Detection Guidance

Detection of this vulnerability involves identifying if your Envoy proxy is running a vulnerable version (from 1.23.0 up to versions before 1.35.13, 1.36.9, 1.37.5, and 1.38.3) and if the Zstd decompressor is enabled.

You can check the Envoy version by running the command:

  • envoy --version

To detect if Zstd decompression is enabled, review your Envoy configuration files for any references to the Zstd decompressor.

Additionally, monitoring for unusually high memory usage or Out-Of-Memory (OOM) kills related to Envoy processes can indicate exploitation attempts.

Impact Analysis

This vulnerability can impact you by causing severe memory exhaustion on systems running vulnerable versions of Envoy when processing maliciously crafted Zstd compressed payloads.

The excessive memory allocation can lead to an Out-Of-Memory (OOM) kill, resulting in a Denial of Service (DoS) condition where the Envoy proxy becomes unavailable or crashes.

No privileges or user interaction are required to exploit this vulnerability, making it easier for attackers to cause disruption.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Envoy to a patched version: 1.35.13, 1.36.9, 1.37.5, or 1.38.3 or later.
  • If upgrading is not immediately possible, disable the Zstd decompressor in your Envoy configuration.
  • Alternatively, switch to unaffected decompression methods such as Gzip or Brotli.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart