A vulnerability labeled as critical has been found in envoyproxy envoy up to 1.36.8/1.37.4/1.38.2 . Affected by this issue is the function ConnectionManagerImpl::doDeferredStreamDestroy of the component Protected WebSocket Endpoint . Such manipulation leads to use after free. This vulnerability is uniquely identified as CVE-2026-47205 . The attack can be launched remotely. No exploit exists. The affected component should be upgraded.