This vulnerability allows a remote attacker to trigger a denial‑of‑service condition in Envoy by exploiting HTTP/2’s HPACK compression mechanism combined with a Slowloris‑style traffic pattern. The weakness is related to improper handling of oversized header compression, enabling attackers to exhaust server resources. While a formal description is not available, the reported behavior indicates that an attacker can cause the proxy to refuse service to legitimate clients, resulting in degraded availability for all connections passing through the affected Envoy instance.

The impacted product is Envoy, a high‑performance edge and service proxy. Versions not listed, so all releases are potentially vulnerable until an official fix is released. Any deployment that relies on Envoy’s HTTP/2 support could be affected.

The CVSS score of 7.5 places this issue in the medium–high severity range, and the EPSS metric is not available, so the likelihood of exploitation in the wild cannot be quantified. The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no publicly known exploits yet. The attack can be performed remotely over an HTTP/2 connection; no local privileges or credentials are required, making it a legitimate concern for exposed services.