Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Summary
| CVE | CVE-2026-47774 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-17 18:18:02 UTC |
| Updated | 2026-07-06 13:40:12 UTC |
| Description | Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.007080000 probability, percentile 0.489540000 (date 2026-07-04)
Problem Types: CWE-405 | CWE-770 | CWE-409 | CWE-405 CWE-405: Asymmetric Resource Consumption (Amplification) | CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling | CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Envoyproxy | Envoy | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Envoyproxy | Envoy | affected < 1.35.11 | Not specified |
| CNA | Envoyproxy | Envoy | affected >= 1.36.0, < 1.36.7 | Not specified |
| CNA | Envoyproxy | Envoy | affected >= 1.37.0, < 1.37.3 | Not specified |
| CNA | Envoyproxy | Envoy | affected >= 1.38.0, < 1.38.1 | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 2.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.3 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:26222 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:26247 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Issue Tracking, Third Party Advisory, Exploit |
| github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 | [email protected] | github.com | Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:27114 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:26210 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| www.openwall.com/lists/oss-security/2026/06/04/15 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Mitigation, Third Party Advisory |
| access.redhat.com/security/cve/CVE-2026-47774 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:26231 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-04T00:00:00.000Z | Reported to Red Hat. |
| ADP | 2026-06-04T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:26210: Red Hat OpenShift Service Mesh 3.0
ADP: RHSA-2026:26222: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:26231: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:26247: Red Hat OpenShift Service Mesh 3.3
Workarounds
ADP: See the security bulletin for a detailed mitigation procedure.