CVE-2026-48042 envoyproxy CVE debrief

Who should care

Users of Envoy, particularly those using versions prior to 1.35.11, 1.36.7, 1.37.3, or 1.38.1, should be aware of this vulnerability. This includes cloud-native application developers and operators who rely on Envoy for edge and service proxy functionality. Given the high severity and potential for stack overflow, immediate attention to upgrading to a patched version is recommended.

Technical summary

The vulnerability in Envoy's JSON object destructor can cause a stack overflow due to deeply nested JSON objects. This issue arises when the destructor is called on JSON objects with a depth of approximately 100,000 levels. The problem was fixed in Envoy versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The CWE associated with this vulnerability is CWE-1124.

Defensive priority

High priority should be given to upgrading Envoy to a version that addresses this vulnerability (1.35.11, 1.36.7, 1.37.3, or 1.38.1). In the meantime, defenders should monitor for unusual stack overflow errors related to JSON object processing.

Recommended defensive actions

• Upgrade to Envoy version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 or later.
• Monitor for unusual stack overflow errors related to JSON object processing.
• Review and update configurations to limit the depth of JSON objects processed by Envoy.
• Implement compensating controls such as input validation and error handling for JSON processing.
• Consider temporarily disabling JSON object processing if an immediate upgrade is not feasible.

Evidence notes

The CVE record and NVD detail provide official information on CVE-2026-48042. GitHub references offer additional context on the vulnerability and fixes. The CVE was published on June 26, 2026, and last modified on June 29, 2026. The CVSS score is 7.5, indicating high severity.

Official resources