7.5
CVE-2026-47774
- EPSS 0.82%
- Veröffentlicht 17.06.2026 16:58:36
- Zuletzt bearbeitet 06.07.2026 13:40:12
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Envoyproxy ≫ Envoy Version < 1.35.11
Envoyproxy ≫ Envoy Version >= 1.36.0 < 1.36.7
Envoyproxy ≫ Envoy Version >= 1.37.0 < 1.37.3
Envoyproxy ≫ Envoy Version1.38.0
Redhat ≫ Openshift Service Mesh Version >= 2.6 < 2.6.17
Redhat ≫ Openshift Service Mesh Version >= 3.0 < 3.0.12
Redhat ≫ Openshift Service Mesh Version >= 3.1 < 3.1.9
Redhat ≫ Openshift Service Mesh Version >= 3.2 < 3.2.6
Redhat ≫ Openshift Service Mesh Version >= 3.3 < 3.3.4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.82% | 0.527 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-405 Asymmetric Resource Consumption (Amplification)
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8
http://www.openwall.com/lists/oss-security/2026/06/04/15
https://access.redhat.com/errata/RHSA-2026:27114
https://access.redhat.com/errata/RHSA-2026:26210
https://access.redhat.com/errata/RHSA-2026:26222
https://access.redhat.com/errata/RHSA-2026:26231
https://access.redhat.com/errata/RHSA-2026:26247
https://access.redhat.com/security/cve/CVE-2026-47774
https://bugzilla.redhat.com/show_bug.cgi?id=2487465
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json