CVE-2026-47774 envoyproxy CVE debrief

Who should care

Users of Envoy, particularly those using versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version and potentially implementing temporary mitigations such as disabling downstream HTTP/2 or enforcing stricter request header and cookie limits.

Technical summary

The vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption. This is due to incomplete accounting of cookie header bytes during request header size validation and HPACK header block limits enforced on encoded bytes without a corresponding limit on total decoded header size. The affected versions are prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Patched versions include 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Defensive priority

High

Recommended defensive actions

• Update to Envoy version 1.35.11, 1.36.7, 1.37.3, or 1.38.1, or later
• Disable downstream HTTP/2 where operationally feasible
• Enforce stricter request header and cookie limits before traffic reaches Envoy
• Monitor Envoy memory usage for abnormal growth under HTTP/2 traffic
• Consider implementing additional security measures to detect and prevent potential attacks

Evidence notes

The information provided is based on the CVE-2026-47774 record and related sources. The vulnerability is confirmed to exist in Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1. The patched versions are confirmed to fix the issue.

Official resources