Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Conclusion & alert: CVE-2026-47774 is rated High Exploit Risk (62.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.71%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-30 | 0.44% | 0.71% | +0.27% |
| 2 | 2026-06-23 | 0.56% | 0.44% | -0.12% |
| 3 | 2026-06-18 | — | 0.56% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| envoyproxy | envoy | < 1.35.11 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | >= 1.36.0, < 1.36.7 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | >= 1.37.0, < 1.37.3 | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* |
| envoyproxy | envoy | 1.38.0 | cpe:2.3:a:envoyproxy:envoy:1.38.0:*:*:*:*:*:*:* |
| redhat | openshift_service_mesh | >= 2.6, < 2.6.17 | cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:* |
| redhat | openshift_service_mesh | >= 3.0, < 3.0.12 | cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:* |
| redhat | openshift_service_mesh | >= 3.1, < 3.1.9 | cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:* |
| redhat | openshift_service_mesh | >= 3.2, < 3.2.6 | cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:* |
| redhat | openshift_service_mesh | >= 3.3, < 3.3.4 | cpe:2.3:a:redhat:openshift_service_mesh:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 | Mitigation Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/06/04/15 | Mailing List Mitigation Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2026:26210 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2026:26222 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2026:26231 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2026:26247 | Third Party Advisory |
| https://access.redhat.com/errata/RHSA-2026:27114 | Third Party Advisory |
| https://access.redhat.com/security/cve/CVE-2026-47774 | Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487465 | Issue Tracking Third Party Advisory Exploit |
| https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47774.json | Third Party Advisory |