CVE-2026-47774

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.38.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*

History

06 Jul 2026, 13:40

Type Values Removed Values Added
CPE cpe:2.3:a:envoyproxy:envoy:1.38.0:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
First Time Envoyproxy envoy
Redhat openshift Service Mesh
Redhat
Envoyproxy
References () https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 - () https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 - Mitigation, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2026/06/04/15 - () http://www.openwall.com/lists/oss-security/2026/06/04/15 - Mailing List, Mitigation, Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2026:26210 - () https://access.redhat.com/errata/RHSA-2026:26210 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2026:26222 - () https://access.redhat.com/errata/RHSA-2026:26222 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2026:26231 - () https://access.redhat.com/errata/RHSA-2026:26231 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2026:26247 - () https://access.redhat.com/errata/RHSA-2026:26247 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2026:27114 - () https://access.redhat.com/errata/RHSA-2026:27114 - Third Party Advisory
References () https://access.redhat.com/security/cve/CVE-2026-47774 - () https://access.redhat.com/security/cve/CVE-2026-47774 - Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2487465 - () https://bugzilla.redhat.com/show_bug.cgi?id=2487465 - Issue Tracking, Third Party Advisory, Exploit
References () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json - () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json - Third Party Advisory

30 Jun 2026, 03:20

Type Values Removed Values Added
CWE CWE-409
References
  • () https://access.redhat.com/errata/RHSA-2026:26210 -
  • () https://access.redhat.com/errata/RHSA-2026:26222 -
  • () https://access.redhat.com/errata/RHSA-2026:26231 -
  • () https://access.redhat.com/errata/RHSA-2026:26247 -
  • () https://access.redhat.com/errata/RHSA-2026:27114 -
  • () https://access.redhat.com/security/cve/CVE-2026-47774 -
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2487465 -
  • () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json -

17 Jun 2026, 19:18

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-17 18:18

Updated : 2026-07-06 13:40


NVD link : CVE-2026-47774

Mitre link : CVE-2026-47774

CVE.ORG link : CVE-2026-47774


JSON object : View

Products Affected

envoyproxy

  • envoy

redhat

  • openshift_service_mesh
CWE
CWE-405

Asymmetric Resource Consumption (Amplification)

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)