Skip to main content

Envoy Proxy EUVDEUVD-2026-39818

| CVE-2026-47778 MEDIUM
Improper Neutralization of Null Byte or NUL Character (CWE-158)
2026-06-26 GitHub_M
4.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

AV:N for network-delivered attack; AC:H for required upstream control or MITM position; PR:N because the attacker needs no privileges on the Envoy instance itself, only control of an external upstream endpoint.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 19:02 EUVD
Analysis Generated
Jun 26, 2026 - 18:35 vuln.today

DescriptionCVE.org

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

AnalysisAI

Certificate SAN validation in Envoy Proxy is bypassed when an attacker-controlled upstream serves a TLS certificate containing an embedded NUL byte in the dNSName Subject Alternative Name field. Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected, allowing an attacker who controls or can impersonate an upstream TLS endpoint to pass Envoy's configured SAN match check with a fraudulent certificate and intercept proxied traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Control or MITM upstream TLS endpoint
Delivery
Craft X.509 cert with NUL byte in dNSName SAN
Exploit
Present cert during Envoy upstream TLS handshake
Install
.c_str() causes strlen() truncation in dnsNameMatch
C2
Truncated SAN matches configured config_san
Execute
Certificate validation returns true
Impact
Intercept or observe proxied upstream traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker be in a network position to serve a TLS certificate to Envoy acting as a TLS client connecting to an upstream - either by directly controlling the upstream server or by executing a man-in-the-middle attack on the Envoy-to-upstream network segment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N yields a score of 4.4, reflecting high attack complexity and a high privilege prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or can perform a man-in-the-middle attack against an upstream server that Envoy routes traffic to crafts a TLS certificate with a dNSName SAN of 'trusted.example.com\x00.attacker.com' and presents it during the TLS handshake. Envoy's verifySubjectAltName extracts the full SAN string but the subsequent .c_str() call causes strlen()-based truncation inside dnsNameMatch, reducing the evaluated string to 'trusted.example.com', which matches the operator-configured config_san. …
Remediation The definitive fix is upgrading Envoy to a patched release: 1.35.11, 1.36.7, 1.37.3, or 1.38.1, per the vendor GitHub Security Advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Envoy

View all
CVE-2023-27488 CRITICAL POC
9.8 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8

CVE-2019-18802 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2019-18801 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-27493 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27491 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27487 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2020-25017 HIGH POC
8.3 Oct 01

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated

CVE-2019-9900 HIGH POC
8.3 Apr 25

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R

CVE-2026-26308 HIGH POC
7.5 Mar 10

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea

CVE-2024-53270 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-53269 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-45810 HIGH POC
7.5 Sep 20

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

Share

EUVD-2026-39818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy