CVE-2026-47220
published 2026-06-26CVE-2026-47220: Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.66%
47.1th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.37.0 < 1.37.5 | 1.37.5 |
| envoyproxy | envoy | >= 1.38.0 < 1.38.3 | 1.38.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
envoy: Envoy: Denial of Service via missing host header in specific logging configurations
vendor_redhat·2026-06-26·CVSS 7.5
CVE-2026-47220 [HIGH] CWE-476 envoy: Envoy: Denial of Service via missing host header in specific logging configurations
envoy: Envoy: Denial of Service via missing host header in specific logging configurations
A flaw was found in Envoy. A remote attacker can exploit this vulnerability by sending a request with a missing host header when the `%REQUESTED_SERVER_NAME(X:Y)%` is used in the log format and host-related options, such as HOST_FIRST or SNI_FIRST, are specified. This can lead to a crash of the Envoy proxy, resulting in a Denial of Service (DoS).
Statement: Red Hat products ship Envoy versions prior to 1.37.0, which do not contain the vulnerable %REQUESTED_SERVER_NAME% host-related logging code introduced in 1.37.0. Red Hat products are therefore not affected by this vulnerability.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red
VulDB
envoyproxy envoy up to 1.37.4/1.38.2 Host Header null pointer dereference
vuldb·2026-06-26·CVSS 7.5
CVE-2026-47220 [HIGH] envoyproxy envoy up to 1.37.4/1.38.2 Host Header null pointer dereference
A vulnerability categorized as problematic has been discovered in envoyproxy envoy up to 1.37.4/1.38.2. Affected is an unknown function of the component Host Header Handler. The manipulation results in null pointer dereference.
This vulnerability is known as CVE-2026-47220. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2vhttps://access.redhat.com/security/cve/CVE-2026-47220https://bugzilla.redhat.com/show_bug.cgi?id=2493652https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2vhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47220.json
2026-06-26
Published