CVE-2026-48706
Received Received - Intake
Heap Write Overflow in Envoy Proxy

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiBβ€”for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: trueβ€”the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-48706
EUVD
EUVD-2026-39825
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envoyproxy envoy From 1.34.0 (inc) to 1.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include switching from the TCP StatsD sink to the UDP StatsD sink, which is not affected by this vulnerability.

Another mitigation is to disable method cardinality stats, which reduces the likelihood of extremely long statistic names being generated.

Applying the official patches by upgrading Envoy to versions 1.35.13, 1.36.9, 1.37.5, or 1.38.3 will fix the vulnerability.

Executive Summary

CVE-2026-48706 is a heap buffer overflow vulnerability in Envoy Proxy's TCP StatsD sink (TcpStatsdSink). It occurs when the thread-local flusher buffer is overflowed by extremely long statistic names exceeding 16KiB.

The vulnerability arises because the flusher reserves a fixed 16KiB memory slice for formatting metrics. If a metric name exceeds the remaining buffer capacity, the flusher incorrectly allocates another fixed 16KiB slice and continues copying data beyond the allocated heap buffer boundaries.

This can happen, for example, if an attacker sends an HTTP or gRPC request with an extremely long request path that is recorded by the grpc_stats filter configured with stats_for_all_methods: true.

The result is a heap write overflow that can cause a process crash (denial-of-service) or potentially allow remote code execution (RCE).

Impact Analysis

This vulnerability can impact you by causing a denial-of-service condition where the Envoy process crashes due to the heap buffer overflow.

More severely, it may allow an attacker to execute arbitrary code remotely (remote code execution), which could compromise the security and integrity of your systems.

Detection Guidance

This vulnerability involves a heap buffer overflow triggered by exceptionally long statistic names (greater than 16KiB) in Envoy's TCP StatsD sink. Detection would involve monitoring for unusually long request paths or statistic names that exceed this size.

One approach is to inspect Envoy logs or metrics for HTTP or gRPC requests with extremely long :path values, especially if the grpc_stats filter is configured with stats_for_all_methods: true.

Specific commands are not provided in the resources, but you can use network monitoring or logging tools to filter requests with very long paths. For example, using tcpdump or Wireshark to capture traffic and grep or scripting to identify requests with long URI paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart