Denial of Service Vulnerability in Envoy Proxy by Envoy Proxy
CVE-2026-48044

7.5HIGH

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48044?

A vulnerability has been identified in the zstd decompressor implementation of Envoy Proxy that can lead to significant memory allocation when processing specially crafted zstd payloads. By exploiting this vulnerability, an attacker can trigger severe memory exhaustion, resulting in an Out-Of-Memory (OOM) termination of the Envoy proxy, thereby causing Denial of Service (DoS). The issue has been addressed in versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Affected Version(s)

envoy >= 1.38.0, < 1.38.1 < 1.38.0, 1.38.1

envoy >= 1.37.0, < 1.37.3 < 1.37.0, 1.37.3

envoy >= 1.36.0, < 1.36.7 < 1.36.0, 1.36.7

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48044 Data

JSON

Envoyproxy

What is CVE-2026-48044?

Affected Version(s)

References

CVSS V3.1

Timeline