BIT-envoy-2026-47778

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-47778.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-envoy-2026-47778
Aliases
Published
2026-06-30T23:39:30.542Z
Modified
2026-07-08T08:11:24.895013204Z
Summary
Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)
Details

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .cstr() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .cstr() evaluates it, implicit conversion to absl::stringview inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required configsan match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / envoy

Package

Name
envoy
Purl
pkg:bitnami/envoy

Severity

  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.35.11
Introduced
1.36.0
Fixed
1.36.7
Introduced
1.37.0
Fixed
1.37.3
Introduced
1.38.0
Fixed
1.38.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/envoy/BIT-envoy-2026-47778.json"