Null Pointer Dereference in Envoy Service Proxy Impacts Cloud-Native Applications
CVE-2026-47221

5.9MEDIUM

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-47221?

Envoy Proxy, an open-source service proxy, contains a vulnerability that allows unauthenticated attackers to exploit a null pointer dereference when processing internal HTTP 303 redirects for body-less POST, PUT, DELETE, or PATCH requests. This flaw arises when the internal redirect policy includes HTTP 303 response codes and the upstream service replies with an HTTP 303 status. The vulnerability can lead to a segmentation fault, crashing the Envoy process and causing a complete denial of service, thus terminating all active connections.

Affected Version(s)

envoy >= 1.38.0, < 1.38.3 < 1.38.0, 1.38.3

envoy >= 1.37.0, < 1.37.5 < 1.37.0, 1.37.5

envoy >= 1.36.0, < 1.36.9 < 1.36.0, 1.36.9

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47221 Data

JSON

Envoyproxy

What is CVE-2026-47221?

Affected Version(s)

References

CVSS V3.1

Timeline