{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48090", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-20T18:40:45.833Z", "datePublished": "2026-06-26T18:03:05.257Z", "dateUpdated": "2026-06-26T18:03:05.257Z"}, "containers": {"cna": {"title": "Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.38.0, < 1.38.3", "status": "affected"}, {"version": ">= 1.37.0, < 1.37.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-26T18:03:05.257Z"}, "descriptions": [{"lang": "en", "value": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object\u2019s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3."}], "source": {"advisory": "GHSA-3cj2-c63f-q26f", "discovery": "UNKNOWN"}}}}

{}

{}

{"bugzilla": {"description": "Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)", "id": "2493650", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493650"}, "csaw": false, "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-48090", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}], "public_date": "2026-06-26T18:03:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-48090\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-48090\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f"], "statement": "Red Hat products ship Envoy versions prior to 1.37.0, which do not contain the vulnerable OAuth2 filter async token exchange code introduced in 1.37.0. Red Hat products are therefore not affected by this vulnerability.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.38.0,1.38.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.37.0,1.37.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "envoy", "source": "cna", "vendor": "envoyproxy"}, "product": "envoy", "vendor": "envoyproxy"}], "created": "2026-06-26T20:30:06.198803+00:00", "updated": "2026-06-26T23:00:08.465499+00:00", "vendors": ["envoyproxy", "envoyproxy$PRODUCT$envoy"]}