Login Sign Up

CVE-2021-43826

7.5 HIGH
Denial of Service

📋 TL;DR

Envoy proxy versions with upstream tunneling configured can crash when a downstream client disconnects while the upstream connection is still being established. This denial-of-service vulnerability affects all Envoy deployments using tunneling configurations. The crash occurs due to a use-after-free condition (CWE-416).

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: All versions before 1.20.2, 1.19.3, 1.18.6, and 1.17.3
Operating Systems: All operating systems running Envoy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when configured with upstream tunneling (tunneling_config). Standard TCP proxy configurations without tunneling are not affected.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for all traffic passing through the affected Envoy instance, requiring manual restart and causing extended downtime.

🟠

Likely Case

Intermittent crashes of Envoy instances under specific network conditions, leading to partial service disruption and degraded reliability.

🟢

If Mitigated

No impact if patched or if tunneling configuration is not used; otherwise, crashes may still occur but can be automatically recovered by orchestration systems.

🌐 Internet-Facing: HIGH - Internet-facing Envoy instances with tunneling are directly exposed to malicious clients who can trigger the crash intentionally.
🏢 Internal Only: MEDIUM - Internal Envoy instances with tunneling could be crashed by legitimate clients experiencing network issues or by internal attackers.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only network access to trigger the specific timing condition. No authentication or special packets needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.2, 1.19.3, 1.18.6, or 1.17.3

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-cmx3-fvgf-83mf

Restart Required: Yes

Instructions:

1. Identify Envoy version. 2. Upgrade to patched version (1.20.2, 1.19.3, 1.18.6, or 1.17.3). 3. Restart Envoy service. 4. Verify new version is running.

🔧 Temporary Workarounds

Disable Upstream Tunneling

all

Remove or disable tunneling_config from TCP proxy configurations if not required for functionality.

# Edit Envoy configuration to remove tunneling_config sections
# Example: Remove or comment out tunneling_config: in YAML configs

🧯 If You Can't Patch

  • Disable upstream tunneling configuration if not absolutely required
  • Implement circuit breakers and automatic restart mechanisms to minimize downtime from crashes

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and configuration for tunneling_config usage. Vulnerable if version < 1.20.2, 1.19.3, 1.18.6, or 1.17.3 AND tunneling_config is present.

Check Version:

envoy --version

Verify Fix Applied:

Confirm Envoy version is 1.20.2, 1.19.3, 1.18.6, or 1.17.3 or higher, and verify service remains stable during connection churn.

📡 Detection & Monitoring

Log Indicators:

  • Envoy crash logs
  • Segmentation fault errors
  • Process termination without normal shutdown

Network Indicators:

  • Sudden loss of connectivity through Envoy
  • Increased TCP connection resets

SIEM Query:

process.name:"envoy" AND (log_level:error OR log_level:critical) AND message:"crash" OR "segmentation fault"

📊 Metadata

CVE ID: CVE-2021-43826
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-416
Published: February 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43826, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)