Followup emergency release for CVE-2026-47774

12 views

Skip to first unread message

Kateryna Nezdolii

unread,

Jun 9, 2026, 1:49:14 PM (10 days ago) Jun 9

to envoy-secur...@googlegroups.com, cncf-envoy-distr...@lists.cncf.io, envoy...@googlegroups.com, envoy-dev, envoy-ma...@googlegroups.com

Hello Envoy Community,

We would like to provide a follow-up regarding CVE-2026-47774, the memory-exhaustion vulnerability involving a cookie header size-limit bypass and HPACK amplification.

Following the initial emergency release, we have received feedback that the mitigation can affect legitimate HTTP/2 traffic in deployments that use a large number of individual cookie headers or very large cookies. We have published additional mitigation guidance here:

https://github.com/envoyproxy/envoy/issues/45483

We are preparing a second emergency Envoy release for CVE-2026-47774. Our target is to cut this release by the end of day tomorrow, June 10, 2026, CEST.

The release is expected to include the following additional changes:

HTTP/2 header and cookie histograms to help operators determine safe header-map limits:

https://github.com/envoyproxy/envoy/pull/45479

These histograms are disabled by default and can be enabled with the runtime guard envoy.reloadable_features.http2_record_histograms.

A dedicated runtime-configurable limit for the size of the re-assembled HTTP/2 cookie header:

https://github.com/envoyproxy/envoy/pull/45476

This limit is disabled by default and can be configured with the runtime value envoy.reloadable_features.http2_max_cookies_size_in_kb.

We will send a further notification once the second emergency release has been published.

Kind regards,

nezdolik on behalf of Envoy Security Team and Maintainers

Reply all

Reply to author

Forward

0 new messages