CVE-2026-48090
Undergoing Analysis Undergoing Analysis - In Progress
Memory Corruption in Envoy Proxy

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-48090
EUVD
EUVD-2026-39830
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
envoyproxy envoy From 1.37.0 (inc) to 1.37.5 (inc)
envoyproxy envoy to 1.38.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48090 is a use-after-free vulnerability in Envoy Proxy's HTTP OAuth2 filter (envoy.filters.http.oauth2) affecting versions 1.37.0 to 1.37.5 and 1.38.3. The issue happens when an asynchronous OAuth2 token exchange remains active after the downstream HTTP stream has already been closed, such as when a client disconnects or times out.

When the token response arrives late, the filter tries to use a callback pointer that no longer exists (StreamDecoderFilterCallbacks), causing undefined behavior, crashes of the proxy worker, or memory corruption like use-after-free or invalid virtual pointer failures.

This is a memory-safety and lifetime management issue in the data plane, not a simple configuration bug. The root cause is that the teardown of the stream does not cancel the in-flight token request or invalidate the related callbacks.

Impact Analysis

The primary impact of this vulnerability is denial-of-service (DoS) caused by crashes of the Envoy proxy worker processes. This leads to availability loss of the proxy service.

Remote code execution is not claimed or demonstrated. However, the undefined behavior and memory corruption could potentially lead to other impacts depending on the deployment environment and memory allocator, but these are not confirmed.

Detection Guidance

This vulnerability manifests as worker crashes or undefined behavior in Envoy Proxy when using the HTTP OAuth2 filter. Detection involves monitoring Envoy logs and crash reports for symptoms such as unexpected worker process terminations or AddressSanitizer reports indicating use-after-free or invalid pointer dereferences related to the OAuth2 filter.

Since the issue is related to asynchronous token exchanges remaining after stream teardown, you can check your Envoy version to see if it falls within the vulnerable range (1.37.0 to 1.37.5 and 1.38.3).

Suggested commands include:

  • Check Envoy version: `envoy --version`
  • Inspect Envoy logs for crashes or errors related to the HTTP OAuth2 filter.
  • If AddressSanitizer is enabled, review its output for use-after-free or invalid-vptr errors.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The primary mitigation is to upgrade Envoy Proxy to a fixed version where this vulnerability is resolved. Specifically, upgrade to version 1.37.5 or 1.38.3 or later.

The fix involves canceling any pending OAuth2 token requests during stream teardown and ignoring late callbacks to prevent use-after-free conditions.

Until an upgrade can be performed, consider monitoring for crashes and restarting Envoy workers as needed to maintain availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart