Envoy follow-up releases for CVE-2026-47774 mitigation: 1.38.2, 1.37.4, 1.36.8 and 1.35.12

10 views
Skip to first unread message

Kateryna Nezdolii

unread,
Jun 15, 2026, 4:10:00 PM (4 days ago) Jun 15
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-dev, envoy...@googlegroups.com

Hello Envoy Community,


The Envoy security team would like to announce the availability of Envoy 1.38.2, 1.37.4, 1.36.8 and 1.35.12.


These are follow-up releases related to the previously published mitigation for the following CVE:


* CVE-2026-47774 (CVSS score 7.5/10) HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification.


The original CVE fix was released in Envoy 1.38.1, 1.37.3, 1.36.7 and 1.35.11. The releases announced here add additional operational controls and visibility to help operators safely tune HTTP/2 header and cookie limits after deploying the mitigation.


These releases include the following changes:


* http2: added opt-in histograms for HTTP/2 header statistics, including header-entry count, header-map byte size, reassembled `cookie` header length, and individual `cookie` header count. These can be enabled with `envoy.reloadable_features.http2_record_histograms`.

* http2: added `envoy.reloadable_features.http2_max_cookies_size_in_kb` to limit the size of the reassembled `cookie` header. By default, no cookie-size limit is enforced.

* runtime: fixed RTDS runtime guard override removal so deleting an override restores the process-wide runtime guard value to the default value.


Operators who terminate untrusted downstream HTTP/2 traffic, or who have deployed the CVE-2026-47774 mitigation and need additional telemetry or cookie-size controls, are encouraged to upgrade to 1.38.2, 1.37.4, 1.36.8 or 1.35.12.


GitHub tags:

https://github.com/envoyproxy/envoy/releases/tag/v1.38.2

https://github.com/envoyproxy/envoy/releases/tag/v1.37.4

https://github.com/envoyproxy/envoy/releases/tag/v1.36.8

https://github.com/envoyproxy/envoy/releases/tag/v1.35.12


Docker images:

https://hub.docker.com/r/envoyproxy/envoy/tags


Release notes:

https://www.envoyproxy.io/docs/envoy/v1.38.2/version_history/v1.38/v1.38.2

https://www.envoyproxy.io/docs/envoy/v1.37.4/version_history/v1.37/v1.37.4

https://www.envoyproxy.io/docs/envoy/v1.36.8/version_history/v1.36/v1.36.8

https://www.envoyproxy.io/docs/envoy/v1.35.12/version_history/v1.35/v1.35.12


Docs:

https://www.envoyproxy.io/docs/envoy/v1.38.2/

https://www.envoyproxy.io/docs/envoy/v1.37.4/

https://www.envoyproxy.io/docs/envoy/v1.36.8/

https://www.envoyproxy.io/docs/envoy/v1.35.12/


For more information about the mitigation guidance, please see the following link:


Mitigation recommendation for CVE-2026-47774



Thanks,


nezdolik

on behalf of the Envoy security team and maintainers


Reply all
Reply to author
Forward
0 new messages