Skip to main content

Envoy Proxy CVE-2026-47774

HIGH
Asymmetric Resource Consumption (Amplification) (CWE-405)
2026-06-17 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable HTTP/2 listener, no auth or user interaction, low complexity to send crafted HPACK headers; impact limited to availability via OOM, with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:03 vuln.today

DescriptionCVE.org

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.

AnalysisAI

Denial of service in Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 allows unauthenticated remote clients to trigger excessive memory consumption via crafted HTTP/2 requests, potentially causing OOM termination of the Envoy process. The flaw stems from cookie header bytes bypassing request header size validation combined with HPACK limits being enforced only on encoded bytes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Envoy-fronted HTTP/2 endpoint
Delivery
Open downstream HTTP/2 connection
Exploit
Send requests with oversized HPACK-encoded cookie headers
Install
Bypass encoded-byte HPACK limits
C2
Force large decoded header allocations in Envoy
Execute
Exhaust worker memory and trigger OOM kill
Impact
Denial of service for backend services

Vulnerability AssessmentAI

Exploitation Target Envoy must be running an affected version (prior to 1.35.11/1.36.7/1.37.3/1.38.1) with downstream HTTP/2 enabled on a network-reachable listener, which is the default for typical edge and ingress configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores 7.5 and is internally consistent with the description: a remote, unauthenticated attacker can reach the HTTP/2 listener over the network with low complexity and impact only availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the internet opens an HTTP/2 connection to an Envoy-fronted service and sends requests carrying carefully crafted HPACK-encoded headers - particularly oversized cookie values - that stay within the encoded-byte HPACK block limit but expand to very large decoded header sets. Repeating this across requests or connections forces Envoy to allocate memory beyond its intended request header size cap, eventually exhausting the worker process's memory and triggering an OOM kill that takes the proxy (and the services behind it) offline. …
Remediation Vendor-released patch: upgrade to Envoy 1.35.11, 1.36.7, 1.37.3, or 1.38.1 depending on your maintenance branch, as published in advisory GHSA-22m2-hvr2-xqc8 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Envoy instances and versions; configure HTTP/2 request logging and establish baseline memory metrics. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Envoy

View all
CVE-2023-27488 CRITICAL POC
9.8 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8

CVE-2019-18802 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2019-18801 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-27493 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27491 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27487 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2020-25017 HIGH POC
8.3 Oct 01

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated

CVE-2019-9900 HIGH POC
8.3 Apr 25

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R

CVE-2026-26308 HIGH POC
7.5 Mar 10

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea

CVE-2024-53270 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-53269 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-45810 HIGH POC
7.5 Sep 20

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

Vendor StatusVendor

Share

CVE-2026-47774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy