Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Envoy is vulnerable to a null pointer dereference that triggers a segmentation fault when the log format includes the %REQUESTED_SERVER_NAME% macro together with host‑related options such as HOST_FIRST or SNI_FIRST and the incoming HTTP request lacks a host header. This crash leads to an abrupt termination of the Envoy process and an interruption of service for any clients attached to the affected proxy instance. The weakness is a classic CWE‑476 scenario, and the impact is a denial of service at the edge of a cloud‑native application stack.

Affected Systems

The vulnerability affects Envoy proxy versions 1.37.0 through 1.37.4 and 1.38.0 through 1.38.2. It has been fixed in 1.37.5 and 1.38.3, and later releases are not vulnerable. All installations using the default host‑resolution settings with %REQUESTED_SERVER_NAME% in the log format should verify their current Envoy version.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity of a crash‑induced denial of service. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploitation has been reported. The likely attack vector is a carefully crafted HTTP request sent to the Envoy service with a missing host header while host‑related options are active. An attacker who proxy can cause it to crash, potentially disrupting traffic for all downstream services.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to 1.37.5 or later (including 1.38.3 and later releases)
  • If upgrading is not immediately possible, remove the %REQUESTED_SERVER_NAME% placeholder from the log format or disable host‑related options such as HOST_FIRST and SNI_FIRST to prevent the crash scenario
  • Restart the Envoy process after configuration changes and monitor logs for any remaining segmentation fault events

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.
Title Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:02:17.679Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47220

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T18:02:17Z

Links: CVE-2026-47220 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses