CVE-2026-48497 Envoyproxy CVE debrief

Who should care

Users of Envoy, particularly those who have configured the UDP DNS filter with local or remote resolution, should be aware of this vulnerability. This includes cloud-native application developers and operators who rely on Envoy for edge and service proxying. Updating to a patched version of Envoy can help prevent potential denial-of-service attacks.

Technical summary

The vulnerability in Envoy's UDP DNS filter arises from an incorrect assumption about the length of DNS query names. According to RFC 1035, a DNS name can be 255 octets or less. However, the Envoy filter was not handling names of exactly 255 octets correctly, leading to abnormal process termination. The fix involves updating the filter to properly handle names of 255 octets. This vulnerability has a CVSS score of 5.9 and is considered medium severity.

Defensive priority

Defenders should prioritize updating Envoy to a patched version (1.35.11, 1.36.7, 1.37.3, or 1.38.1) to prevent potential denial-of-service attacks. Additionally, defenders should review their Envoy configurations to ensure they are not exposing vulnerable UDP DNS filter setups.

Recommended defensive actions

• Update Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1
• Review and update UDP DNS filter configurations
• Monitor Envoy logs for abnormal process termination
• Implement compensating controls to detect and prevent DNS-based attacks
• Verify vendor remediation workflow for Envoy

Evidence notes

The CVE record and NVD detail provide information about the vulnerability and its fixes. The vendor advisory on GitHub offers additional mitigation guidance. However, the exact scope of affected systems and potential attack vectors are not detailed in the provided sources.

Official resources