envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 Helper Utility c_str null byte or nul character

Summaryinfo

A vulnerability was found in envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 and classified as problematic. The affected element is the function c_str of the component Helper Utility. Such manipulation leads to improper neutralization of null byte or nul character. This vulnerability is documented as CVE-2026-47778. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0. It has been rated as problematic. Affected by this issue is the function c_str of the component Helper Utility. The manipulation with an unknown input leads to a improper neutralization of null byte or nul character vulnerability. Using CWE to declare the problem leads to CWE-158. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. Impacted is confidentiality. CVE summarizes:

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-47778 since 05/20/2026. The exploitation is known to be difficult. The attack may be launched remotely. The exploitation needs additional levels of successful authentication. There are known technical details, but no exploit is available.

Upgrading to version 1.35.11, 1.36.7, 1.37.3 or 1.38.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-39818). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Firewall Software

Vendor

• envoyproxy

Name

• envoy

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.14
• 1.15
• 1.16
• 1.17
• 1.18
• 1.19
• 1.20
• 1.21
• 1.22
• 1.23
• 1.24
• 1.25
• 1.26
• 1.27
• 1.28
• 1.29
• 1.30
• 1.31
• 1.32
• 1.33
• 1.34
• 1.35
• 1.35.0
• 1.35.1
• 1.35.2
• 1.35.3
• 1.35.4
• 1.35.5
• 1.35.6
• 1.35.7
• 1.35.8
• 1.35.9
• 1.35.10
• 1.36
• 1.36.0
• 1.36.1
• 1.36.2
• 1.36.3
• 1.36.4
• 1.36.5
• 1.36.6
• 1.37
• 1.37.0
• 1.37.1
• 1.37.2
• 1.38.0

License

• free

Website

• Product: https://github.com/envoyproxy/envoy/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion