BIT-envoy-2026-48090

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-48090.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-envoy-2026-48090
Aliases
Published
2026-06-30T23:39:35.098Z
Modified
2026-07-08T08:11:20.819148971Z
Summary
Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)
Details

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / envoy

Package

Name
envoy
Purl
pkg:bitnami/envoy

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
1.37.0
Fixed
1.37.5
Introduced
1.38.0
Fixed
1.38.3

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-48090.json"