CVE-2021-43826

Summary

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:upstream tunneling <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config> and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. There are no workarounds for this issue. Users are advised to upgrade.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy< 1.18.6affected
envoyproxyenvoy>= 1.19.0, < 1.19.3affected
envoyproxyenvoy>= 1.20.0, < 1.20.2affected
envoyproxyenvoy>= 1.21.0, < 1.21.1affected

Weaknesses

  • CWE-416: CWE-416: Use After Free

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References