CVE-2026-47778
published 2026-06-26CVE-2026-47778: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was…
PriorityP425medium4.4CVSS 3.1
AVNACHPRHUINSUCHINAN
EPSS
0.21%
11.5th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.35.11 | 1.35.11 |
| envoyproxy | envoy | < 1.35.13 | 1.35.13 |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.36.0 < 1.36.9 | 1.36.9 |
| envoyproxy | envoy | >= 1.37.0 < 1.37.5 | 1.37.5 |
| envoyproxy | envoy | >= 1.38.0 < 1.38.3 | 1.38.3 |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 Helper Utility c_str null byte or nul character (GHSA-f8x4-rw5x-f3r7)
vuldb·2026-06-26·CVSS 4.4
CVE-2026-47778 [MEDIUM] envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 Helper Utility c_str null byte or nul character (GHSA-f8x4-rw5x-f3r7)
A vulnerability has been found in envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 and classified as problematic. Impacted is the function c_str of the component Helper Utility. This manipulation causes improper neutralization of null byte or nul character.
This vulnerability is registered as CVE-2026-47778. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
Red Hat
gstreamer: incomplete fix of CVE-2026-1940
vendor_redhat·2026-02-25·CVSS 5.1
CVE-2026-1940 [MEDIUM] gstreamer: incomplete fix of CVE-2026-1940
gstreamer: incomplete fix of CVE-2026-1940
An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.
An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.
Package: gstreamer1 (Red Hat Enterprise Linux 10) - Fi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published