CVE-2026-47220
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| envoyproxy | envoy | >= 1.38.0, < 1.38.3 | affected |
| envoyproxy | envoy | >= 1.37.0, < 1.37.5 | affected |
Weaknesses
- CWE-476: CWE-476: NULL Pointer Dereference
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
envoy: Envoy: Denial of Service via missing host header in specific logging configurations
Additional References
- https://access.redhat.com/security/cve/CVE-2026-47220
- https://bugzilla.redhat.com/show_bug.cgi?id=2493652
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47220.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.