CVE-2026-47774: 
Envoy Analisi e mitigazione delle vulnerabilità

CVE-2026-47774 is an HTTP/2 memory exhaustion vulnerability in Envoy's downstream request processing that allows an unauthenticated remote attacker to trigger denial of service via OOM termination. The flaw affects Envoy versions prior to 1.39 and, by extension, affected versions of Istio which embed Envoy as its data plane proxy. It was published on June 3, 2026, with a CVSS v3.1 base score of 7.5 (High) (Envoy Advisory).

The vulnerability stems from two compounding weaknesses (CWE-405: Asymmetric Resource Consumption/Amplification and CWE-770: Allocation of Resources Without Limits or Throttling). First, cookie header fragments in HTTP/2 requests are buffered separately and merged only after request header size validation completes, meaning buffered cookie bytes are not fully counted against the max_request_headers_kb limit. Second, oghttp2/quiche enforces HPACK header block limits on encoded bytes rather than on the fully decoded header size, enabling a malicious client to use dynamic table references to keep encoded representations small while causing much larger decoded allocations in memory. Combining these two behaviors, an attacker can force Envoy to retain large per-stream memory allocations; HTTP/2 flow-control stalling can further extend stream lifetime and delay memory reclamation, amplifying the attack's effectiveness. In testing against v1.36.0-dev, an Envoy process under a 3 GiB memory limit was OOM-killed within seconds using a limited number of connections and streams (Envoy Advisory).

Successful exploitation results in denial of service through OOM termination of the Envoy process (exit status 137 in containerized environments), disrupting all traffic passing through the affected proxy. There is no confidentiality or integrity impact, but availability is fully compromised for the affected Envoy instance. A secondary effect observed during testing is that oversized decoded cookies forwarded upstream can exceed upstream services' own header limits, potentially causing upstream HTTP/2 connection resets and transient request failures across the service mesh (Envoy Advisory).

Envoy has released patched versions: 1.35.11, 1.36.7, 1.37.3, and 1.38.1 (all versions < 1.39 are affected). Istio released corresponding fixes in versions 1.28.8, 1.29.4, and 1.30.1. No complete workaround exists short of applying the patch; temporary mitigations include disabling downstream HTTP/2 where operationally feasible, enforcing stricter request header and cookie size limits upstream of Envoy (e.g., via a WAF or load balancer), and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. Fixing only one of the two contributing issues (cookie accounting or HPACK decoded-size limits) may reduce exploitability but does not fully remediate the vulnerability (Envoy Advisory, Istio 1.28.8).

The vulnerability was disclosed via the oss-security mailing list and covered by Tux Machines in the context of the Istio 1.30.1/1.29.4/1.28.8 releases (oss-sec, Tux Machines). A technical blog post on dev.to discussed the related HTTP/2 HPACK flow-control DoS class of vulnerabilities (dev.to). Winbuzzer reported on the broader risk of HTTP/2 "bomb" attacks exposing server memory (Winbuzzer). The vulnerability was credited to researcher Ryoga Yamashita (Snow-Poijio) (Envoy Advisory).