CVE-2026-47774

HIGH EPSS 35.2%
Published Jun 17, 20262w ago · Modified Jun 23, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Jun 17, 2026 2w ago
Last Modified Jun 23, 2026 1w ago

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
35.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-405
CWE-770

References 2

  • openwall.com http://www.openwall.com/lists/oss-security/2026/06/04/15
  • github.com https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.