Denial of Service Vulnerability in Envoy Proxy by Envoy Technologies
CVE-2026-47774
What is CVE-2026-47774?
Envoy is an open-source edge and service proxy designed for cloud-native applications. Prior to specific versions, a vulnerability in Envoy's HTTP/2 downstream request processing allows unauthorized remote clients to exploit excessive memory consumption. This occurs due to inadequate cookie header byte validation during request header size checks and enforced HPACK header block limits only on encoded bytes without a corresponding limit on decoded header sizes. Consequently, a malicious client can lead to large allocations while circumventing the intended protections, which may result in the Envoy process being terminated due to out-of-memory (OOM) errors. The latest versions, including 1.35.11, 1.36.7, 1.37.3, and 1.38.1, provide a resolution for this issue. Without patching, possible mitigations include disabling downstream HTTP/2 traffic, implementing stricter header limits, and monitoring memory usage for inconsistencies.
Affected Version(s)
envoy < 1.35.11 < 1.35.11
envoy >= 1.36.0, < 1.36.7 < 1.36.0, 1.36.7
envoy >= 1.37.0, < 1.37.3 < 1.37.0, 1.37.3