Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization
Moderate severity
GitHub Reviewed
Published
Jun 5, 2026
in
envoyproxy/gateway
•
Updated Jul 16, 2026
Package
Affected versions
>= 1.8.0-rc.0, < 1.8.1
< 1.7.4
Patched versions
1.8.1
1.7.4
Description
Published to the GitHub Advisory Database
Jul 16, 2026
Reviewed
Jul 16, 2026
Last updated
Jul 16, 2026
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
Description:
A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.
References