{"id":"CVE-2020-10739","details":"Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.","modified":"2026-04-11T16:25:38.038053Z","published":"2020-06-02T13:15:10.983Z","references":[{"type":"ADVISORY","url":"https://istio.io/news/security/istio-security-2020-005/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10739"},{"type":"FIX","url":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153#diff-fcf2cf5dd389b5285f882ba4a8708633"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/istio/envoy","events":[{"introduced":"0"},{"fixed":"8788a3cf255b647fd14e6b5e2585abaaedb28153"}]},{"type":"GIT","repo":"https://github.com/istio/istio","events":[{"introduced":"c4def934e4f8d1feb42725da41ee0078cde8397f"},{"fixed":"bdad3f25fef6e44c9485d7f0ae90b50e44a475b0"},{"introduced":"c3c353285578eb68b334fc8766746b754b6b3789"},{"fixed":"f27639c7369f8a6ef144ed8768f8acb27566d999"}],"database_specific":{"versions":[{"introduced":"1.4.0"},{"fixed":"1.4.9"},{"introduced":"1.5.0"},{"fixed":"1.5.4"}]}}],"versions":["1.4.0","1.4.1","1.4.3","1.4.5","1.4.8","1.5.0","1.5.2","1.5.3","v1.0.0","v1.1.0","v1.2.0","v1.3.0","v1.4.0","vtest_image_tag","vtest_image_tag2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T16:25:38Z","vanir_signatures":[{"digest":{"length":328,"function_hash":"144418771634602675266619924996445000105"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onDownstreamData"},"signature_type":"Function","id":"CVE-2020-10739-03c977b6","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":446,"function_hash":"119401861654085209639537905497552771115"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onRequestBody"},"signature_type":"Function","id":"CVE-2020-10739-0cc2daed","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":230,"function_hash":"292372990768365950324484642866959694509"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onRequestMetadata"},"signature_type":"Function","id":"CVE-2020-10739-1356a0cd","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":449,"function_hash":"175006914997678037736939362669164344467"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onResponseBody"},"signature_type":"Function","id":"CVE-2020-10739-1458bfb0","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":1784,"function_hash":"100948544781443413269912324761079751725"},"target":{"file":"test/extensions/wasm/wasm_test.cc","function":"TEST_P"},"signature_type":"Function","id":"CVE-2020-10739-166ce7de","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":238,"function_hash":"285582764189768012593364682494609597926"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onResponseTrailers"},"signature_type":"Function","id":"CVE-2020-10739-1e7c76ce","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":196,"function_hash":"328155305425271941194726340624054929958"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onUpstreamConnectionClose"},"signature_type":"Function","id":"CVE-2020-10739-2590a6f7","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":260,"function_hash":"142413371051953978010318518277266505230"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onStart"},"signature_type":"Function","id":"CVE-2020-10739-287e329b","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":90,"function_hash":"293853330474912094260888753044086776857"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onLog"},"signature_type":"Function","id":"CVE-2020-10739-2c370400","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":202,"function_hash":"320003177995607809135779470478168700342"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onDownstreamConnectionClose"},"signature_type":"Function","id":"CVE-2020-10739-3c81c540","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["229487963732046805401006134730619086679","201746524320129204509288921784944374114","121678224801768999699882851040779894596","90195317435430369512161828531462885935","80475174080544647056968308835315615338","16518257402151727957917425684438623935","39460086010914546348467350681593241988","256290862722264980609579949806059372185","264910779750008669473267029809515718163","287459172578879268878769306669981865752","158443016491593236865687549365039789868","127848866054052484928717882424947028196","129376021707437604914062114309113673798","17789418098630878769631936484683977908","264339536364621485070644412791850553685","257038805493150500485547371698347227488","1782158456084156232534229625671462120","281204095290916184439318375155011148263","291346458753061229235206107772181423007","288262888024542106871903771708060316001","330645290074450325988604305429257597164","137455758781017003278905473807517640498","1003665625717136654181391676767911305","260647774827107235677030798809033242026","119208384788935439528349396389353903916","276223332608640986299781113219229819270","109516425712183732509326973674792572118","338728363847898197038709500519525024732","161570372611001466729357046703789341920","133383199482441109775072814523400140262","42185089738384739236142475522861568956","199330581884932268346275067916790837820","53855938550033189786337750788792268993","79965210284109958565692450387365855017","234479000474573836448264123024374108470","254298741018658724755117258405148585263","244464890093160590730681477023591907553","131060112957589932817572435485446358145","24584433250297706450876303768725019954","155348840853419284968031487773621247111","104681328610406419344093443964936814849","109073831819973863699338151245555259908","249536865748361396287199340982698020672","14132225681002848380099217073303709464","149994745059662328213964871567992002956","19144918959376420759431493412661785244","151053836814424218505532295523672343939","136176846272358168126640663654553114498","145542321229486102072634827753736191725","20220889139776773101901092254254086898","328505530668940505588011691611691377423","107395740716856551328142331067801459246","275464874044183268998522449299892280132","272293166540362762795304337966075987232","185401602834059229540982445327591297790","337472478060507409818082232078732879795","64953109757020245593244887034503069808","304623102775806358946787999767398287931","247045618350982966882871927521461155146","223907878252227922085044875688200861013","111950426341137314370096143447081496442","97771006243574595796202023174186353715","315831541467536787304830010077947707633"],"threshold":0.9},"target":{"file":"source/extensions/common/wasm/wasm.cc"},"signature_type":"Line","id":"CVE-2020-10739-4074ef9a","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["4101917600231838749936092010098574884","82256776787673459636664290676749364148","133830639277006672250675814183088403597"],"threshold":0.9},"target":{"file":"source/extensions/common/wasm/wasm.h"},"signature_type":"Line","id":"CVE-2020-10739-493169a4","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":1572,"function_hash":"312369592459433731794113061395707827011"},"target":{"file":"test/extensions/wasm/wasm_test.cc","function":"TEST_P"},"signature_type":"Function","id":"CVE-2020-10739-4dbad02f","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":233,"function_hash":"145611263726665230511805826364003329064"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onResponseMetadata"},"signature_type":"Function","id":"CVE-2020-10739-4fb2c84f","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":322,"function_hash":"272003164781017359961435358495651604664"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onUpstreamData"},"signature_type":"Function","id":"CVE-2020-10739-625b1e1d","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":93,"function_hash":"171301711909469919114414188509995837875"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onDone"},"signature_type":"Function","id":"CVE-2020-10739-62e03295","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["159754038379105599111581434469798823834","106899935835100563931653431324426888692","142854688199199751945028568831800903181","236657048184413933002384182799839519792","98096873453750862276785309815277597490","179057625799544371662831883929224755370","52984856861645408102799027179347649628","37867054659920583653570523795229786101"],"threshold":0.9},"target":{"file":"test/extensions/wasm/wasm_test.cc"},"signature_type":"Line","id":"CVE-2020-10739-98bab6d9","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":99,"function_hash":"283774774090203922496631297024746589755"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onDelete"},"signature_type":"Function","id":"CVE-2020-10739-af57cd80","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":268,"function_hash":"106287267271398195855363053437578384698"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onNetworkNewConnection"},"signature_type":"Function","id":"CVE-2020-10739-be67d023","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"},{"digest":{"length":235,"function_hash":"22721760173472508881522443803828842964"},"target":{"file":"source/extensions/common/wasm/wasm.cc","function":"Context::onRequestTrailers"},"signature_type":"Function","id":"CVE-2020-10739-e6ef2591","source":"https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10739.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}