Envoy Proxy Memory Allocation with Excessive Size Value Vulnerability (CVE-2026-49975)
Description
A memory exhaustion vulnerability in Envoy's HTTP/2 cookie coalescing path allows a remote unauthenticated attacker to cause denial of service via crafted HPACK requests. By seeding the dynamic table with a large cookie header and replaying it with one-byte indexed references, an attacker bypasses the default max_headers_count limit — Envoy appends repeated cookie values into a per-stream buffer rather than counting them against header limits. Combined with flow-control stalling via INITIAL_WINDOW_SIZE=0, allocated memory is held open indefinitely. Fixed in Envoy 1.35.11, 1.36.7, 1.37.3, and 1.38.1.