← All CVEs

CVE-2026-47774

HIGH 7.5

Published 2026-06-17 · Last modified 2026-06-30

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.

ELEVATED IMPACT

Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.7%chance of exploitation in 30 days · 49th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.5CVSS 3.1 · HIGH

  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Envoyproxy Red Hat

Products Envoy Red Hat Openshift Service Mesh 2.6 Red Hat Openshift Service Mesh 3.0 Red Hat Openshift Service Mesh 3.1 Red Hat Openshift Service Mesh 3.2 Red Hat Openshift Service Mesh 3.3

Weakness (CWE)

  • CWE-405
  • CWE-770: Allocation without limits
  • CWE-409

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Sources: NVD · CVE.org · EPSS