CVE-2026-47774

Source
https://cve.org/CVERecord?id=CVE-2026-47774
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47774.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47774
Aliases
Published
2026-06-17T16:58:36.541Z
Modified
2026-07-08T08:13:39.200669936Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Details

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47774.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-405",
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/envoyproxy/envoy

Affected ranges

Type
GIT
Repo
https://github.com/envoyproxy/envoy
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:envoyproxy:envoy:1.38.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.35.11"
        },
        {
            "introduced": "1.36.0"
        },
        {
            "fixed": "1.36.7"
        },
        {
            "introduced": "1.37.0"
        },
        {
            "fixed": "1.37.3"
        },
        {
            "introduced": "1.38.0"
        },
        {
            "last_affected": "1.38.0"
        }
    ]
}

Affected versions

1.*
1.38.0
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.18.2
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.35.10
v1.35.2
v1.35.3
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.35.9
v1.36.0
v1.36.1
v1.36.2
v1.36.3
v1.36.4
v1.36.5
v1.36.6
v1.37.0
v1.37.1
v1.37.2
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47774.json"