cbcvebase.
CVE-2026-47778
published 2026-06-26

CVE-2026-47778: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was…

PriorityP425medium4.4CVSS 3.1
AVNACHPRHUINSUCHINAN
EPSS
0.21%
11.5th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Affected

8 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.35.111.35.11
envoyproxyenvoy< 1.35.131.35.13
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.36.0 < 1.36.91.36.9
envoyproxyenvoy>= 1.37.0 < 1.37.51.37.5
envoyproxyenvoy>= 1.38.0 < 1.38.31.38.3

CVSS provenance

nvdv3.14.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.