CVE-2026-47778
MEDIUM Exploitation: PoC
4.4
CVSS 3.1
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Metadata
Severity & Metrics
4.4
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| envoyproxy | envoy | — | >= 1.38.0, < 1.38.1, >= 1.37.0, < 1.37.3, >= 1.36.0, < 1.36.7, < 1.35.11 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-158 | cna | CWE-158: Improper Neutralization of Null Byte or NUL Character |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 4.4 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N |
References (1)
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7 https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7