Vulnerability Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7
FAQ
What is CVE-2026-47778?
CVE-2026-47778 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySub...
How severe is CVE-2026-47778?
CVE-2026-47778 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-47778?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.