CVE-2026-48090
published 2026-06-26CVE-2026-48090: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter…
PriorityP335medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.58%
43.3th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.37.0 < 1.37.5 | 1.37.5 |
| envoyproxy | envoy | >= 1.38.0 < 1.38.3 | 1.38.3 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
envoyproxy envoy up to 1.37.4/1.38.2 use after free
vuldb·2026-06-26·CVSS 5.9
CVE-2026-48090 [MEDIUM] envoyproxy envoy up to 1.37.4/1.38.2 use after free
A vulnerability marked as critical has been reported in envoyproxy envoy up to 1.37.4/1.38.2. Affected is an unknown function. This manipulation causes use after free.
The identification of this vulnerability is CVE-2026-48090. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
Red Hat
Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
vendor_redhat·2026-06-26·CVSS 5.9
CVE-2026-48090 [MEDIUM] Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
No description is available for this CVE.
Statement: Red Hat products ship Envoy versions prior to 1.37.0, which do not contain the vulnerable OAuth2 filter async token exchange code introduced in 1.37.0. Red Hat products are therefore not affected by this vulnerability.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: openshift-service-mesh/proxyv2-rhel9 (OpenShift Service Mesh 2) - Not affected
Package: openshift-service-mesh/istio-proxyv2-rhel9 (OpenShift Service Mesh 3) - Not affected
No detection rules found.
No public exploits indexed.
2026-06-26
Published