Description
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated remote client to trigger memory exhaustion in Envoy by exploiting two behaviors in its HTTP/2 downstream request processing. Cookie header bytes are not fully counted during request header size validation, and HPACK header block limits are enforced only on the encoded header data, not on the total decoded size. An attacker can craft request headers that bypass the size check, causing Envoy to allocate large decoded header buffers and consume memory, which can lead to an OOM termination of the Envoy process and a denial of service. The flaw affects Envoy releases older than 1.35.11, 1.36.7, 1.37.3, or 1.38.1; those specific versions contain a fix. No complete workaround is known except applying the patch, though administrators may disable HTTP/2, enforce stricter header limits, and monitor memory usage for abnormal growth.

Affected Systems

Envoy, the open‑source edge and service proxy, is impacted. Releases older than 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are vulnerable; deployments using those versions and relying on HTTP/2 are at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies this vulnerability as medium–high severity. The EPSS score of 0.00556 (approximately < 1 %) indicates a very low probability that it will be exploited in the wild. It is not listed in CISA’s KEV catalog, suggesting no publicly known exploits. The flaw can be triggered remotely over HTTP/2 without authentication or local privileges, so exposed Envoy deployments remain at risk.

Generated by OpenCVE AI on June 18, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to the latest release that contains a fix for HTTP/2 HPACK handling
  • If upgrading is not possible immediately, disable HTTP/2 support or explicitly refuse HPACK frames to prevent the compression bomb
  • Apply network‑level rate limiting or traffic shaping to mitigate Slowloris‑style attacks, ensuring that inbound connections are throttled before they can saturate server resources

Generated by OpenCVE AI on June 18, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Title envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Weaknesses CWE-405
CWE-770
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title envoy: envoy: HTTP/2 Remote Denial of Service via HPACK compression bomb and Slowloris-style attack
Weaknesses CWE-409
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:01.079Z

Reserved: 2026-05-19T22:36:16.882Z

Link: CVE-2026-47774

cve-icon Vulnrichment

Updated: 2026-06-17T17:05:51.998Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-04T00:00:00Z

Links: CVE-2026-47774 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-405

    Asymmetric Resource Consumption (Amplification)

  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)

  • CWE-770

    Allocation of Resources Without Limits or Throttling