UDP DNS Filter Vulnerability in Envoy Proxy by Envoy Proxy
CVE-2026-48497

5.9MEDIUM

Key Information:

Vendor: Envoyproxy
Status: Envoy
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48497?

Envoy Proxy, an open-source edge and service proxy, contains a vulnerability when the UDP DNS filter is configured. Specifically, if local or remote DNS resolution is set up for a name with a length of 255 octets, it can lead to abnormal process termination. This occurs because the runtime condition checks incorrectly enforce that query names must be less than 255 octets, which contradicts the DNS specification outlined in RFC 1035. The issue is addressed in Envoy Proxy versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Affected Version(s)

envoy >= 1.38.0, < 1.38.1 < 1.38.0, 1.38.1

envoy >= 1.37.0, < 1.37.3 < 1.37.0, 1.37.3

envoy >= 1.36.0, < 1.36.7 < 1.36.0, 1.36.7

References

https://github.com/envoyproxy/envoy/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48497 Data

JSON

Envoyproxy

What is CVE-2026-48497?

Affected Version(s)

References

CVSS V3.1

Timeline