[Zero Day] Zero day announcement for Envoy users

[Kateryna Nezdolii]

Hello Envoy Users,

We would like to inform you that CVE-2026-47774, a memory-exhaustion vulnerability involving a cookie header size-limit bypass and HPACK amplification, is now public following the zero-day disclosure published here:

 https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

We are currently preparing public releases to mitigate this vulnerability. We expect these releases to be available by the end of the day on June 4, 2026, CEST. We will send a further notification once the releases have been published.

Kind regards,

nezdolik (on behalf of Envoy security team and maintainers)