CVE-2026-47774: 
Envoy Análise e mitigação de vulnerabilidades

CVE-2026-47774 is an HTTP/2 memory exhaustion vulnerability in Envoy's downstream request processing that allows an unauthenticated remote attacker to trigger denial of service via OOM termination. The flaw affects Envoy versions prior to 1.39 and, by extension, affected versions of Istio which embed Envoy as its data plane proxy. It was published on June 3, 2026, with a CVSS v3.1 base score of 7.5 (High) (Envoy Advisory).

The vulnerability stems from two compounding weaknesses (CWE-405: Asymmetric Resource Consumption/Amplification and CWE-770: Allocation of Resources Without Limits or Throttling). First, cookie header fragments in HTTP/2 requests are buffered separately and merged only after request header size validation completes, meaning buffered cookie bytes are not fully counted against the max_request_headers_kb limit. Second, oghttp2/quiche enforces HPACK header block limits on encoded bytes rather than on the fully decoded header size, enabling a malicious client to use dynamic table references to keep encoded representations small while causing much larger decoded allocations in memory. Combining these two behaviors, an attacker can force Envoy to retain large per-stream memory allocations; HTTP/2 flow-control stalling can further extend stream lifetime and delay memory reclamation, amplifying the attack's effectiveness. In testing against v1.36.0-dev, an Envoy process under a 3 GiB memory limit was OOM-killed within seconds using a limited number of connections and streams (Envoy Advisory).

Successful exploitation results in denial of service through OOM termination of the Envoy process (exit status 137 in containerized environments), disrupting all traffic passing through the affected proxy. There is no confidentiality or integrity impact, but availability is fully compromised for the affected Envoy instance. A secondary effect observed during testing is that oversized decoded cookies forwarded upstream can exceed upstream services' own header limits, potentially causing upstream HTTP/2 connection resets and transient request failures across the service mesh (Envoy Advisory).

1. Reconnaissance: Identify internet-facing or network-accessible Envoy or Istio ingress/gateway endpoints that accept HTTP/2 downstream connections, using tools like Shodan, Censys, or direct probing for HTTP/2 (h2) ALPN negotiation.
2. Establish HTTP/2 connections: Open one or more HTTP/2 connections to the target Envoy listener. Multiple concurrent streams can be used to increase memory pressure.
3. Populate HPACK dynamic table: Send initial HTTP/2 requests with large cookie header values to populate the HPACK dynamic table on the server side, establishing indexed references for subsequent requests.
4. Craft amplified cookie headers: Send HTTP/2 HEADERS frames containing cookie header fragments that reference previously indexed dynamic table entries. The encoded representation remains small (bypassing max_request_headers_kb enforcement), but the decoded cookie value is large, causing significant per-stream memory allocation in Envoy.
5. Stall with flow control: Use HTTP/2 flow-control mechanisms (e.g., withholding WINDOW_UPDATE frames) to extend stream lifetime, preventing Envoy from reclaiming per-stream memory and sustaining memory pressure.
6. Trigger OOM: Sustain concurrent streams with amplified cookie allocations until Envoy's memory is exhausted, resulting in OOM termination (exit code 137 in containers) and denial of service (Envoy Advisory).

• Process: Rapid or sustained abnormal memory growth in the Envoy process; OOM termination of the Envoy container or process (exit status 137 in containerized environments).
• Network: Unusual HTTP/2 traffic patterns involving repeated indexed cookie header references (HPACK dynamic table references); high numbers of concurrent HTTP/2 streams from a small number of source IPs; streams with stalled or absent WINDOW_UPDATE frames (flow-control stalling).
• Logs: Envoy access logs showing a high volume of requests with large or fragmented cookie headers; upstream connection reset errors attributed to oversized forwarded cookie headers; OOM-kill events in container runtime or system logs (Envoy Advisory).

Envoy has released patched versions: 1.35.11, 1.36.7, 1.37.3, and 1.38.1 (all versions < 1.39 are affected). Istio released corresponding fixes in versions 1.28.8, 1.29.4, and 1.30.1. No complete workaround exists short of applying the patch; temporary mitigations include disabling downstream HTTP/2 where operationally feasible, enforcing stricter request header and cookie size limits upstream of Envoy (e.g., via a WAF or load balancer), and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic. Fixing only one of the two contributing issues (cookie accounting or HPACK decoded-size limits) may reduce exploitability but does not fully remediate the vulnerability (Envoy Advisory, Istio 1.28.8).

The vulnerability was disclosed via the oss-security mailing list and covered by Tux Machines in the context of the Istio 1.30.1/1.29.4/1.28.8 releases (oss-sec, Tux Machines). A technical blog post on dev.to discussed the related HTTP/2 HPACK flow-control DoS class of vulnerabilities (dev.to). Winbuzzer reported on the broader risk of HTTP/2 "bomb" attacks exposing server memory (Winbuzzer). The vulnerability was credited to researcher Ryoga Yamashita (Snow-Poijio) (Envoy Advisory).