CVE-2026-47774
published 2026-06-17CVE-2026-47774: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.71%
48.8th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.35.11 | 1.35.11 |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| openshift-service-mesh | istio-proxyv2-rhel9 | — | — |
| openshift-service-mesh | proxyv2-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
cvelistv5·2026-06-17·CVSS 7.5
CVE-2026-47774 [HIGH] CWE-405 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors a
VulDB
Envoy HPACK Compression Slowloris denial of service
vuldb·2026-06-15
CVE-2026-47774 [LOW] Envoy HPACK Compression Slowloris denial of service
A vulnerability marked as problematic has been reported in Envoy. The affected element is an unknown function of the component HPACK Compression Handler. The manipulation leads to denial of service.
This vulnerability is documented as CVE-2026-47774. The attack can be initiated remotely. There is not any exploit available.
Red Hat
envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack
vendor_redhat·2026-06-04·CVSS 7.5
CVE-2026-47774 [HIGH] CWE-409 envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack
envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack
No description is available for this CVE.
Mitigation: Disable HTTP/2 support on Envoy listeners where it is not strictly required, or deploy behind a CDN/reverse proxy that can absorb or rate-limit such attacks. Limiting the maximum number of concurrent streams and header list size via Envoy configuration can also reduce the attack surface.
Package: openshift-service-mesh/proxyv2-rhel9 (OpenShift Service Mesh 2) - Affected
Package: openshift-service-mesh/istio-proxyv2-rhel9 (OpenShift Service Mesh 3) - Affected
No detection rules found.
No public exploits indexed.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8http://www.openwall.com/lists/oss-security/2026/06/04/15https://access.redhat.com/errata/RHSA-2026:26210https://access.redhat.com/errata/RHSA-2026:26222https://access.redhat.com/errata/RHSA-2026:26231https://access.redhat.com/errata/RHSA-2026:26247https://access.redhat.com/errata/RHSA-2026:27114https://access.redhat.com/security/cve/CVE-2026-47774https://bugzilla.redhat.com/show_bug.cgi?id=2487465https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json
2026-06-17
Published