CVE-2026-47774
CVE-2026-47774 is a high-severity vulnerability in Envoyproxy Envoy with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-405.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (53rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-37765
- Weakness: CWE-405
- Affected product: Envoyproxy Envoy
- Published:
- Last modified:
Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Frequently asked questions
- What is CVE-2026-47774?
- Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
- How severe is CVE-2026-47774?
- CVE-2026-47774 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-47774 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (53rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-47774?
- CVE-2026-47774 primarily affects Envoyproxy Envoy. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-47774?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-47774 have an EU (EUVD) identifier?
- Yes. CVE-2026-47774 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37765.
- When was CVE-2026-47774 published?
- CVE-2026-47774 was published on 2026-06-17 and last updated on 2026-07-06.
References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8
- http://www.openwall.com/lists/oss-security/2026/06/04/15
- https://access.redhat.com/errata/RHSA-2026:26210
- https://access.redhat.com/errata/RHSA-2026:26222
- https://access.redhat.com/errata/RHSA-2026:26231
- https://access.redhat.com/errata/RHSA-2026:26247
- https://access.redhat.com/errata/RHSA-2026:27114
- https://access.redhat.com/security/cve/CVE-2026-47774
- https://bugzilla.redhat.com/show_bug.cgi?id=2487465
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json
Affected products (3)
- cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
- cpe:2.3:a:envoyproxy:envoy:1.38.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:*
More vulnerabilities in Envoyproxy Envoy
- CVE-2022-29226 — Critical (CVSS 10.0): Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not…
- CVE-2019-18802 — Critical (CVSS 9.8): An issue was discovered in Envoy 1.12.0. An untrusted remote client may send an HTTP header (such as Host) with…
- CVE-2019-18801 — Critical (CVSS 9.8): An issue was discovered in Envoy 1.12.0. An untrusted remote client may send HTTP/2 requests that write to the heap…
- CVE-2020-35470 — High (CVSS 8.8): Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the…
- CVE-2024-23324 — High (CVSS 8.6): Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream…
- CVE-2023-35941 — High (CVSS 8.6): Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0,…
All CVEs affecting Envoyproxy Envoy →
Other CWE-405 vulnerabilities
- CVE-2025-53633 — Critical (CVSS 9.8): Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario…
- CVE-2021-38447 — High (CVSS 8.6): OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target…
- CVE-2025-42874 — High (CVSS 7.9): SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute…
- CVE-2026-25611 — High (CVSS 7.5): A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
- CVE-2026-0485 — High (CVSS 7.5): SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause…
- CVE-2026-22775 — High (CVSS 7.5): Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the…