<Vulnerability name="CVE-2026-47204">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-26T17:37:17</PublicDate>
    <Bugzilla id="2494195" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494195" xml:lang="en:us">
envoy: Envoy: Denial of Service via Connect protocol request
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-476</CWE>
    <Details xml:lang="en:us" source="Mitre">
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpc_stats filter crashes (null pointer dereference / segfault) when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) hits a direct_response route. A single unauthenticated HTTP request crashes the Envoy process. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Envoy, an open source edge and service proxy. A remote attacker can exploit this vulnerability by sending a specially crafted Connect protocol request to a direct response route. This action causes the `envoy.filters.http.grpc_stats` filter to crash, leading to a denial of service (DoS) for the Envoy process. This can disrupt services relying on the proxy.
    </Details>
    <Statement xml:lang="en:us">
This Moderate-impact denial of service flaw in Envoy allows a remote, unauthenticated attacker to crash the Envoy proxy process by sending a specially crafted Connect protocol request to a direct response route. This vulnerability affects Red Hat OpenShift Service Mesh and cloud.redhat.com services that utilize Envoy, potentially disrupting service availability.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:service_mesh:2">
        <ProductName>OpenShift Service Mesh 2</ProductName>
        <FixState>Will not fix</FixState>
        <PackageName>openshift-service-mesh/proxyv2-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-service-mesh/istio-proxyv2-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47204
https://nvd.nist.gov/vuln/detail/CVE-2026-47204
https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6
    </References>
</Vulnerability>