Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
{
"cwe_ids": [
"CWE-409"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48044.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "1.23.0"
},
{
"fixed": "1.35.13"
},
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.9"
},
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.5"
},
{
"introduced": "1.38.0"
},
{
"fixed": "1.38.3"
}
],
"source": "CPE_RANGE"
}