Envoy: Embedded NUL in TLS DNS SAN Truncation in the...

4.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Basic Information

ID CVE-2026-47778

Source GitHub_M

Published Jun 26, 2026 at 17:27

Affected Product

Vendor envoyproxy

Product envoy

Version >= 1.38.0, < 1.38.1

Affected Versions envoyproxy envoy >= 1.38.0, < 1.38.1
envoyproxy envoy >= 1.37.0, < 1.37.3
envoyproxy envoy >= 1.36.0, < 1.36.7
envoyproxy envoy < 1.35.11

CWE Classification

CWE-158

References

github.com /envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7

{
    "lastseen": "",
    "description": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.",
    "published": "2026-06-26T17:27:57.707Z",
    "modified": "2026-06-26T17:27:57.707Z",
    "type": "cve",
    "title": "Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)",
    "source": "GitHub_M",
    "references": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7",
    "id": "CVE-2026-47778",
    "bulletinFamily": "",
    "cwe": [
        "CWE-158"
    ],
    "cvelist": null,
    "sourceData": "envoyproxy envoy >= 1.38.0, < 1.38.1\nenvoyproxy envoy >= 1.37.0, < 1.37.3\nenvoyproxy envoy >= 1.36.0, < 1.36.7\nenvoyproxy envoy < 1.35.11",
    "sourceHref": "",
    "cvss": {
        "score": 4.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "envoy",
    "version": ">= 1.38.0, < 1.38.1",
    "vendor": "envoyproxy",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)_CVE-2026-47778