CVE-2026-47778 in envoy
Summary
by MITRE • 06/26/2026
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability identified in Envoy proxy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 represents a critical security flaw in the certificate validation process that undermines the integrity of SSL/TLS connections. This issue resides within the DefaultCertValidator::verifySubjectAltName method where the system processes DNS Subject Alternative Name (SAN) values from X.509 certificates. The structural flaw stems from improper handling of null byte characters in certificate SAN fields, creating a path for malicious certificate validation bypasses that could compromise secure communications.
The technical implementation of this vulnerability involves a specific code path where the extracted DNS SAN string undergoes a problematic conversion process using the .c_str() method before being passed to the Utility::dnsNameMatch() algorithm. When a certificate contains a dNSName SAN field with an embedded null byte, the helper function Utility::generalNameAsString correctly captures the complete string including the null character. However, the subsequent .c_str() operation combined with implicit conversion to absl::string_view within dnsNameMatch relies on strlen() function behavior which terminates string evaluation at the first null byte encountered. This premature truncation creates a mismatch between the actual certificate content and the validation logic that processes only the truncated portion of the string.
The operational impact of this vulnerability extends beyond simple certificate validation failure, as it allows attackers to craft malicious certificates that appear valid to Envoy's certificate checker while containing embedded null bytes in their SAN fields. This enables man-in-the-middle attacks where an attacker can present a certificate with a legitimate domain name followed by a null byte and additional malicious content, causing the proxy to incorrectly validate the certificate against the intended configuration. The validation process returns a successful match even though the certificate contains potentially harmful or unauthorized content, effectively bypassing the security controls designed to prevent such unauthorized access patterns.
This vulnerability aligns with CWE-129, which addresses improper handling of length vs. null termination in input validation contexts, and demonstrates characteristics consistent with CWE-704, involving incorrect type conversion that leads to unexpected behavior. From an ATT&CK framework perspective, this issue enables T1566.001 (Phishing via Social Engineering) and T1046 (Network Service Scanning) techniques by allowing attackers to establish fraudulent secure connections that appear legitimate to the target system. The vulnerability also maps to ATT&CK technique T1592 (Gather Victim Host Information) as it could enable attackers to perform reconnaissance through compromised proxy connections.
The fix implemented in versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 addresses this issue by ensuring proper string handling that prevents null byte truncation during certificate validation. These updates modify the certificate parsing logic to maintain string integrity throughout the validation process, eliminating the implicit conversion that previously allowed null bytes to disrupt the evaluation context. Organizations should immediately upgrade their Envoy proxy deployments to these patched versions to prevent exploitation of this vulnerability, as it represents a significant threat to secure communication channels in cloud-native environments where certificate validation is critical for maintaining trust boundaries between services.
The broader implications of this vulnerability highlight the importance of careful string handling in security-critical components and demonstrate how seemingly minor implementation details can create substantial security weaknesses. This issue underscores the necessity of comprehensive testing for edge cases involving special characters, null terminators, and input validation scenarios that could potentially be exploited by attackers. System administrators and security teams should conduct immediate assessments of their Envoy proxy configurations to ensure all instances have been updated to patched versions and verify that certificate validation processes are functioning correctly across all network segments where Envoy is deployed.