CVE-2022-23606 MEDIUM

CVE-2022-23606: Crash when a cluster is deleted in Envoy

Vendor Envoyproxy
Product envoy
Weakness CWE-674
Published February 22, 2022
Last update April 23, 2025

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.

Key dates

02Disclosure timeline

February 22, 2022 CVE published
April 23, 2025 Record updated