CVE Catalog

CVE-2026-47774

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.71%

49th percentile — higher than 49% of all known CVEs

Summary

A vulnerability in Envoy allows an unauthenticated remote client to trigger excessive memory consumption via HTTP/2 downstream request processing. The issue stems from incomplete accounting of cookie header bytes during size validation and missing limits on total decoded header size in HPACK. This can lead to OOM termination of the Envoy process and denial of service.

Risk Assessment

The organization is at risk of a DoS attack that can disrupt proxy and edge services, causing application unavailability. The attack requires no authentication, increasing the likelihood of exploitation by external attackers.

Recommendation

Immediately upgrade Envoy to versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1. Temporary mitigations include disabling downstream HTTP/2 where feasible, enforcing stricter header and cookie limits before traffic reaches Envoy, and monitoring memory usage for abnormal growth.

Original NVD description (English source)

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS