<Vulnerability name="CVE-2026-47692">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-26T17:59:38</PublicDate>
    <Bugzilla id="2493675" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493675" xml:lang="en:us">
envoy: Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-130</CWE>
    <Details xml:lang="en:us" source="Mitre">
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Envoy. The PROXY Protocol v2 header generator can emit data beyond the maximum allowed length, leading to a mismatch between the actual bytes sent and the length specified in the header. An attacker on an adjacent network could exploit this to smuggle bytes into upstream requests. This could potentially bypass security mechanisms or lead to unexpected behavior in how requests are processed.
    </Details>
    <Statement xml:lang="en:us">
Moderate: Envoy's PROXY Protocol v2 header generator can emit TLVs exceeding the maximum length, leading to a mismatch in bytes written and the header's length field. This flaw allows for up to 65 KB of attacker-controlled data to be smuggled into the upstream request, potentially bypassing security controls or corrupting data. This primarily affects deployments where Envoy is configured to use PROXY Protocol v2.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:service_mesh:2">
        <ProductName>OpenShift Service Mesh 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-service-mesh/proxyv2-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-service-mesh/istio-proxyv2-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47692
https://nvd.nist.gov/vuln/detail/CVE-2026-47692
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r
    </References>
</Vulnerability>