CVE-2026-48044
Analyzed
Analyzed - Analysis Complete
Memory Exhaustion in Envoy Proxy via Zstd Decompression
Vulnerability report for CVE-2026-48044, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-26
Last updated on: 2026-06-29
Assigner: GitHub, Inc.
Description
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | From 1.37.0 (inc) to 1.37.5 (exc) |
| envoyproxy | envoy | From 1.38.0 (inc) to 1.38.3 (exc) |
| envoyproxy | envoy | From 1.36.0 (inc) to 1.36.9 (exc) |
| envoyproxy | envoy | From 1.23.0 (inc) to 1.35.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |