Skip to main content

Envoy EUVDEUVD-2026-39821

| CVE-2026-48497 HIGH
Use of Incorrect Operator (CWE-480)
2026-06-26 GitHub_M
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated network query crashes the process (A:H) once the UDP DNS filter is enabled; no confidentiality or integrity impact, matching the published vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 29, 2026 - 18:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 18:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 18:37 vuln.today
cvss_changed
Severity Changed
Jun 29, 2026 - 18:37 NVD
MEDIUM HIGH
CVSS changed
Jun 29, 2026 - 18:37 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 26, 2026 - 19:02 EUVD
Analysis Generated
Jun 26, 2026 - 18:34 vuln.today

DescriptionNVD

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

AnalysisAI

Remote denial of service in Envoy proxy allows attackers to crash the process by resolving a DNS name exactly 255 octets long through a configured UDP DNS filter. An off-by-one runtime precondition assumes query names are strictly less than 255 octets, contradicting RFC 1035 which permits names of up to 255 octets, so a maximally-long name that resolves successfully triggers abnormal process termination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Envoy UDP DNS filter listener
Delivery
Submit query with 255-octet name
Exploit
Name resolves via local/remote path
Execution
Invalid length precondition trips
Impact
Process aborts, service denial

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Envoy to have the UDP DNS filter configured with either local resolution containing a name 255 octets long or remote resolution capable of resolving a 255-octet name; the malicious query name must be exactly 255 octets and must resolve successfully to trigger the precondition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a moderate, availability-only issue rather than a top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an Envoy instance running the UDP DNS filter sends (or arranges for) a DNS query whose name is exactly 255 octets and that resolves successfully via the configured local or remote resolution path. The successful resolution trips the faulty 'length < 255' precondition and Envoy terminates abnormally, dropping all traffic it was proxying. …
Remediation Vendor-released patch: upgrade to Envoy 1.35.11, 1.36.7, 1.37.3, or 1.38.1 (whichever matches your release line), as documented in advisory GHSA-j6g2-wf95-q66q (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Envoy deployments, identify affected versions, and assess criticality to service delivery. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Envoy

View all
CVE-2023-27488 CRITICAL POC
9.8 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8

CVE-2019-18802 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2019-18801 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-27493 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27491 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27487 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2020-25017 HIGH POC
8.3 Oct 01

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated

CVE-2019-9900 HIGH POC
8.3 Apr 25

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R

CVE-2026-26308 HIGH POC
7.5 Mar 10

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea

CVE-2024-53270 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-53269 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-45810 HIGH POC
7.5 Sep 20

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

Share

EUVD-2026-39821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy