Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Conclusion & alert: CVE-2026-48706 is rated Low Risk (38.4/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.56%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-27 | — | 0.56% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| envoyproxy | envoy | >= 1.34.0, < 1.35.13 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | >= 1.36.0, < 1.36.9 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | >= 1.37.0, < 1.37.5 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | >= 1.38.0, < 1.38.3 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4 | Vendor Advisory Mitigation |