PT-2026-55062 · Bitnami · Envoy

Published

2026-06-30

·

Updated

2026-06-30

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c str() evaluates it, implicit conversion to absl::string view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

BIT-ENVOY-2026-47778

Affected Products

Envoy