CVE-2026-47778
MediumCVSS 4.4Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A vulnerability in Envoy's TLS certificate validation allows an attacker to serve a certificate with a dNSName SAN containing an embedded NUL byte. Due to improper C-string casting, the domain name is truncated at the NUL, bypassing the exact match check and enabling unauthorized upstream routing.
Risk Assessment
An attacker can exploit this flaw to impersonate authorized upstream services, leading to unauthorized access or traffic interception in cloud-native environments.
Recommendation
Upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 immediately. After upgrade, review TLS configurations and routing rules.
Original NVD description (English source)
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

