Envoy Proxy Memory Allocation with Excessive Size Value Vulnerability - CVE-2026-49975

A memory exhaustion vulnerability in Envoys HTTP/2 cookie coalescing path allows a remote unauthenticated attacker to cause denial of service via crafted HPACK requests. By seeding the dynamic table with a large cookie header and replaying it with one-byte indexed references an attacker bypasses the default max_headers_count limit Envoy appends repeated cookie values into a per-stream buffer rather than counting them against header limits. Combined with flow-control stalling via INITIAL_WINDOW_SIZE0 allocated memory is held open indefinitely. Fixed in Envoy 1.35.11 1.36.7 1.37.3 and 1.38.1.