CVE-2026-47778
Analyzed Analyzed - Analysis Complete

Null Byte in DNS SAN Validation in Envoy Proxy

Vulnerability report for CVE-2026-47778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
envoyproxy envoy From 1.37.0 (inc) to 1.37.5 (exc)
envoyproxy envoy From 1.38.0 (inc) to 1.38.3 (exc)
envoyproxy envoy From 1.36.0 (inc) to 1.36.9 (exc)
envoyproxy envoy to 1.35.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-158 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47778 is a vulnerability in Envoy Proxy's default TLS certificate validator that allows an attacker to bypass host authentication by exploiting an embedded NUL byte in the DNS Subject Alternative Name (SAN) of a TLS certificate.

The flaw occurs in the DefaultCertValidator::verifySubjectAltName function, where the extracted DNS SAN string is incorrectly cast to a C-style string using .c_str() before validation. This causes the string to be prematurely truncated at the NUL byte, allowing an attacker to craft a certificate like example.com\0.attacker.com that Envoy incorrectly validates as matching example.com.

This vulnerability only affects DNS SANs and requires Envoy to be configured with auto_sni and auto_san_validation for upstream connections.

Detection Guidance

This vulnerability involves an attacker serving a TLS certificate with a DNS Subject Alternative Name (SAN) containing an embedded NUL byte. Detection involves inspecting TLS certificates used by Envoy for embedded NUL bytes in the DNS SAN fields.

You can detect potentially malicious certificates by extracting and examining the DNS SAN entries for embedded NUL characters. For example, using OpenSSL commands to inspect certificates:

  • openssl s_client -connect <host>:443 -showcerts | openssl x509 -noout -text
  • Check the output for DNS SAN entries containing unexpected or suspicious characters, especially embedded NUL bytes which may appear truncated or cause parsing issues.

Additionally, monitoring Envoy logs for unusual upstream routing behavior or unexpected certificate validation successes when strict SAN validation is expected may help identify exploitation attempts.

Impact Analysis

An attacker can exploit this vulnerability to perform a Man-In-The-Middle (MITM) attack by obtaining a malicious certificate containing an embedded NUL byte in the DNS SAN.

If the Certificate Authority (CA) in the trust chain does not reject embedded NUL characters, the attacker can intercept and access sensitive data during transit, leading to a loss of data confidentiality.

Compliance Impact

This vulnerability allows an attacker to bypass host authentication by exploiting an embedded NUL byte in the DNS Subject Alternative Name (SAN) of a TLS certificate, potentially enabling a Man-In-The-Middle (MITM) attack. Such an attack can lead to unauthorized access to sensitive data during transit, resulting in a loss of data confidentiality.

Loss of data confidentiality due to interception or unauthorized access can impact compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data during transmission.

Therefore, if this vulnerability is exploited, organizations using affected Envoy versions may face increased risk of non-compliance with these regulations due to compromised data security.

Mitigation Strategies

The primary mitigation is to upgrade Envoy to a fixed version where this vulnerability is patched. The patched versions are 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

If upgrading immediately is not possible, implement runtime checks to explicitly reject TLS certificates containing embedded NUL bytes in the DNS SAN fields.

Additionally, ensure that your Certificate Authority (CA) rejects certificates with embedded NUL characters in SANs to prevent issuance of malicious certificates.

Avoid relying on the vulnerable `.c_str()` cast in the certificate validation code by applying patches or configuration changes that remove this unsafe string handling.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart