CVE-2026-47774
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-47774
EUVD
EUVD-2026-37765
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
envoy envoy 1.35.11
envoy envoy 1.36.7
envoy envoy 1.37.3
envoy envoy 1.38.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47774 is a high-severity vulnerability in Envoy's HTTP/2 downstream request processing. It allows an unauthenticated remote attacker to cause excessive memory consumption by exploiting two flaws: first, cookie header bytes are not fully accounted for during request header size validation, allowing oversized cookies to bypass size limits; second, HPACK header block limits are enforced on encoded bytes rather than the decoded header size. This combination enables attackers to trigger large decoded header allocations that bypass intended protections, potentially leading to Out-of-Memory (OOM) termination of the Envoy process and denial of service.

Impact Analysis

This vulnerability can lead to denial of service by causing Envoy to consume excessive memory, potentially exhausting available memory and causing the Envoy process to terminate unexpectedly (OOM termination). Attackers can exploit this remotely without authentication or user interaction, rapidly exhausting memory resources and disrupting service availability.

Detection Guidance

This vulnerability can be detected by monitoring Envoy's memory usage for abnormal growth under HTTP/2 traffic, as the attack causes excessive memory consumption leading to potential Out-Of-Memory (OOM) termination.

Detection involves observing unusually high memory usage patterns in Envoy processes, especially when handling HTTP/2 downstream requests with large or suspicious cookie headers.

While no specific commands are provided in the resources, general monitoring commands could include using system tools like 'top', 'htop', or 'ps' to track Envoy memory consumption, and network inspection tools like 'tcpdump' or 'Wireshark' to analyze HTTP/2 traffic for oversized or abnormal cookie headers.

Mitigation Strategies

Immediate mitigation steps include applying the fixed Envoy versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1 that address this vulnerability by properly accounting for cookie header bytes and enforcing limits on decoded header sizes.

  • Disable downstream HTTP/2 where operationally feasible to prevent exploitation via HTTP/2 requests.
  • Enforce stricter request header and cookie size limits before traffic reaches Envoy, such as through upstream proxies or firewall rules.
  • Monitor Envoy memory usage closely for abnormal growth patterns that could indicate exploitation attempts.
Compliance Impact

The vulnerability allows unauthenticated remote attackers to cause excessive memory consumption and denial of service in Envoy, potentially impacting system availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service and system instability caused by this vulnerability could indirectly affect compliance by disrupting availability requirements mandated by these regulations.

No direct information is provided about data confidentiality or integrity breaches that would more explicitly impact compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart