Stack Overflow Vulnerability in Envoy Proxy Affects Cloud-Native Applications
CVE-2026-48042

7.5HIGH

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48042?

The Envoy Proxy, an open-source edge and service proxy, experiences a vulnerability related to a stack overflow caused by the destructor of JSON objects. This issue arises when the JSON data structure is excessively nested, leading to potential crashes and service interruptions. The vulnerability affects specific versions of Envoy prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, highlighting the importance of upgrading to the latest versions to ensure stable and secure operation.

Affected Version(s)

envoy >= 1.38.0, < 1.38.1 < 1.38.0, 1.38.1

envoy >= 1.37.0, < 1.37.3 < 1.37.0, 1.37.3

envoy >= 1.36.0, < 1.36.7 < 1.36.0, 1.36.7

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48042 Data

JSON

Envoyproxy

What is CVE-2026-48042?

Affected Version(s)

References

CVSS V3.1

Timeline