CVE-2026-48706
Severity CVSS v4.0:
Pending analysis
Type:
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
26/06/2026
Last modified:
29/06/2026
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.34.0 (including) | 1.35.13 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.36.0 (including) | 1.36.9 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.37.0 (including) | 1.37.5 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.38.0 (including) | 1.38.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



