CVE-2026-47774: 
Envoy Schwachstellenanalyse und -minderung

CVE-2026-47774 is an HTTP/2 memory exhaustion vulnerability in Envoy's downstream request processing that allows an unauthenticated remote attacker to trigger denial of service via OOM termination. The vulnerability arises from two combined flaws: cookie header bytes are not fully accounted for during header size validation, and HPACK header block limits are enforced on encoded bytes rather than decoded size. Affected Envoy versions are all releases prior to 1.39, with patched versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. It carries a CVSS v3.1 base score of 7.5 (High) and affects Istio deployments and Red Hat OpenShift Service Mesh as downstream consumers of Envoy (Envoy Advisory, Feedly).

The root cause is classified under CWE-405 (Asymmetric Resource Consumption/Amplification) and CWE-770 (Allocation of Resources Without Limits or Throttling). During HTTP/2 request processing, cookie header fragments are buffered separately and merged only after request header size validation completes, meaning buffered cookie bytes are excluded from the max_request_headers_kb enforcement check. Simultaneously, oghttp2/quiche enforces HPACK header block limits on encoded byte size rather than decoded size, enabling a malicious client to use dynamic table references to keep encoded representations small while causing much larger decoded allocations in memory. An attacker can further amplify the attack using HTTP/2 flow-control stalling to extend stream lifetime and delay memory reclamation, allowing OOM termination of the Envoy process within seconds under a 3 GiB memory limit using a limited number of connections (Envoy Advisory).

Successful exploitation results in denial of service through OOM termination of the Envoy process, with no impact on confidentiality or integrity. In testing against Envoy v1.36.0-dev, the edge process was OOM-killed under a 3 GiB memory limit within seconds using a limited number of HTTP/2 connections and streams. A secondary operational effect is that oversized decoded cookies forwarded upstream can exceed upstream service header limits, potentially causing upstream HTTP/2 connection resets and transient request failures for legitimate users (Envoy Advisory).

1. Reconnaissance: Identify internet-facing Envoy-based services (e.g., Istio ingress gateways, OpenShift Service Mesh proxies) running Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, or 1.38.1 using network scanning or service fingerprinting tools.
2. Establish HTTP/2 connections: Open multiple HTTP/2 connections to the target Envoy instance from a controlled client.
3. Craft malicious cookie headers: Send HTTP/2 requests containing specially crafted cookie headers that exploit HPACK dynamic table references — keeping the encoded representation small while causing large decoded allocations in Envoy's memory.
4. Bypass header size validation: Because cookie bytes are buffered separately and not included in the max_request_headers_kb check, the oversized cookie data passes validation and is retained in per-stream memory.
5. Amplify via flow-control stalling: Use HTTP/2 flow-control mechanisms to stall streams, extending their lifetime and preventing memory reclamation, thereby accelerating memory exhaustion.
6. Achieve OOM termination: Sustain concurrent streams until Envoy's memory is exhausted, triggering OOM termination (exit code 137 in containerized environments) and resulting in denial of service (Envoy Advisory).

• Process: Rapid or sustained abnormal memory growth in the Envoy process; OOM termination of the Envoy container (exit status 137 in containerized/Kubernetes environments).
• Network: Unusual HTTP/2 traffic patterns involving repeated indexed cookie references or large numbers of concurrent streams with stalled flow control from a single or small set of source IPs.
• Logs: Envoy access logs showing high volumes of HTTP/2 requests with large or repeated cookie headers; upstream connection reset errors caused by oversized forwarded cookie headers exceeding upstream limits.
• System: Container restart events or OOM kill events in Kubernetes event logs (kubectl get events) associated with Envoy/Istio proxy pods (Envoy Advisory).

The complete fix requires patching to Envoy versions 1.35.11, 1.36.7, 1.37.3, or 1.38.1, which address both the cookie byte accounting gap and the decoded HPACK size limit enforcement. For Istio users, patched releases 1.28.8, 1.29.4, and 1.30.1 incorporate the fix. Red Hat has issued errata RHSA-2026:26210, RHSA-2026:26231, and RHSA-2026:26247 for OpenShift Service Mesh. No complete workaround exists short of patching; temporary mitigations include disabling downstream HTTP/2 where operationally feasible, enforcing stricter cookie and request header limits upstream of Envoy, and monitoring Envoy memory usage for abnormal growth (Envoy Advisory, Istio Release, Red Hat Errata).

The vulnerability was disclosed on June 3, 2026, with Istio patch releases announced the same day. A technical write-up on the related HTTP/2 HPACK amplification class of vulnerabilities was published on dev.to, and the issue was discussed on the oss-security mailing list. Coverage appeared on Tux Machines and Winbuzzer, framing the issue as an "HTTP/2 bomb" attack. VulDB catalogued the vulnerability, and the infosec.exchange Mastodon community noted its publication (Istio Release, oss-sec, Winbuzzer).