Envoy HTTP/2 OOM DoS (v<1.35.11/1.36.7/1.37.3/1.38.1)
CVE-2026-47774 Published on June 17, 2026
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Vulnerability Analysis
CVE-2026-47774 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
What is an Amplification Vulnerability?
Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. This situation is amplified if the software allows malicious users or attackers to consume more resources than their access level permits. Exploiting such a weakness can lead to asymmetric resource consumption, aiding in amplification attacks against the system or the network.
CVE-2026-47774 has been classified to as an Amplification vulnerability or weakness.
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
What is a Data Amplification Vulnerability?
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
CVE-2026-47774 has been classified to as a Data Amplification vulnerability or weakness.
Products Associated with CVE-2026-47774
stack.watch emails you whenever new vulnerabilities are published in Envoyproxy Envoy or Red Hat Service Mesh. Just hit a watch button to start following.
Affected Versions
envoyproxy envoy:- Version < 1.35.11 is affected.
- Version >= 1.36.0, < 1.36.7 is affected.
- Version >= 1.37.0, < 1.37.3 is affected.
- Version >= 1.38.0, < 1.38.1 is affected.
- Version 1781604724 and below * is unaffected.
- Version 1781069908 and below * is unaffected.
- Version 1781070158 and below * is unaffected.
- Version 1781070967 and below * is unaffected.
- Version 1781094520 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.