CVE-2026-47207

Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message

Assigner: GitHub_M
Reserved: 18.05.2026 Published: 26.06.2026 Updated: 26.06.2026

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, Envoy crashes if an ext_proc server sends a single gRPC message containing multiple, specially crafted ProcessingResponse messages. This can occur when the first response in the batch causes the gRPC stream object to be destroyed, leading to a use-after-free error when Envoy attempts to process subsequent responses in the same gRPC message. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	envoyproxy
Product	envoy
Versions	Version >= 1.38.0, < 1.38.3 is affected Version >= 1.37.0, < 1.37.5 is affected Version >= 1.36.0, < 1.36.9 is affected Version >= 1.34.0, < 1.35.13 is affected

Vendor

envoyproxy

Product

envoy

Versions

Version >= 1.38.0, < 1.38.3 is affected
Version >= 1.37.0, < 1.37.5 is affected
Version >= 1.36.0, < 1.36.9 is affected
Version >= 1.34.0, < 1.35.13 is affected

References

Problem Types

CWE-416: Use After Free CWE

CVE-2026-47207 PUBLISHED

Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message

Metrics

Product Status

References

Problem Types