<Vulnerability name="CVE-2026-48743">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-26T17:34:22</PublicDate>
    <Bugzilla id="2494518" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494518" xml:lang="en:us">
envoy: Envoy: Request desynchronization allows security policy bypass via HTTP/3 to HTTP/1 translation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-444</CWE>
    <Details xml:lang="en:us" source="Mitre">
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Envoy, an open source edge and service proxy. This vulnerability occurs when Envoy translates an HTTP/3 request that is complete at the transport layer but still carries a nonzero Content-Length into an HTTP/1 request for an upstream server. If the upstream server responds before fully reading the declared body, a subsequent Envoy-generated request can be misinterpreted as part of the previous one. This can lead to a request desynchronization, allowing an attacker to bypass security policies and access unauthorized resources.
    </Details>
    <Statement xml:lang="en:us">
This is an Important flaw in Envoy, affecting Red Hat OpenShift Service Mesh and cloud.redhat.com deployments. The vulnerability arises from improper handling of HTTP/3 to HTTP/1 request translation, where a complete HTTP/3 request with a non-zero Content-Length can lead to request desynchronization on the upstream HTTP/1 server. This desynchronization allows an attacker to bypass security policies, potentially gaining unauthorized access to internal resources or services.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:service_mesh:2">
        <ProductName>OpenShift Service Mesh 2</ProductName>
        <FixState>Will not fix</FixState>
        <PackageName>openshift-service-mesh/proxyv2-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-service-mesh/istio-proxyv2-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48743
https://nvd.nist.gov/vuln/detail/CVE-2026-48743
https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf
    </References>
</Vulnerability>