Envoy: Stack overflow in destructor of highly nested JSON

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Basic Information

ID CVE-2026-48042

Source GitHub_M

Published Jun 26, 2026 at 17:29

Affected Product

Vendor envoyproxy

Product envoy

Version >= 1.38.0, < 1.38.1

Affected Versions envoyproxy envoy >= 1.38.0, < 1.38.1
envoyproxy envoy >= 1.37.0, < 1.37.3
envoyproxy envoy >= 1.36.0, < 1.36.7
envoyproxy envoy < 1.35.11

CWE Classification

CWE-1124

References

{
    "lastseen": "",
    "description": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.",
    "published": "2026-06-26T17:29:14.964Z",
    "modified": "2026-06-26T17:29:14.964Z",
    "type": "cve",
    "title": "Envoy: Stack overflow in destructor of highly nested JSON",
    "source": "GitHub_M",
    "references": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv\nhttps://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21",
    "id": "CVE-2026-48042",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1124"
    ],
    "cvelist": null,
    "sourceData": "envoyproxy envoy >= 1.38.0, < 1.38.1\nenvoyproxy envoy >= 1.37.0, < 1.37.3\nenvoyproxy envoy >= 1.36.0, < 1.36.7\nenvoyproxy envoy < 1.35.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "envoy",
    "version": ">= 1.38.0, < 1.38.1",
    "vendor": "envoyproxy",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Envoy: Stack overflow in destructor of highly nested JSON_CVE-2026-48042