Mitigation Recommendation for CVE-2026-47774

[yanavlasov]

Mitigation Recommendation for CVE-2026-47774
TL;DR; continue reading if your Envoy’s terminate untrusted H/2 requests.

In response to the 0-day CVE-2026-47774 Envoy maintainer had published a set of patches to mitigate DoS attack over H/2 protocol using a specifically crafted cookie header. The mitigation made the cookie header count and overall size to be subject to Envoy’s header map limits.

Early deployment of the mitigation revealed that it can inadvertently affect legitimate traffic. By default Envoy limits total header count to 100 and overall size of all headers to 60Kb. If an application uses a high number of individual cookies or very large cookies it can exceed these limits, resulting in reset requests. For example:

• If a client sends 90 cookie crumbs and 15 other headers, the request will be reset as it will exceed the default header count limit of 100. This is the most commonly observed failure.
• If a client sends 60Kb of cookies and 1 Kb of other headers, the default 60Kb limit on the total size of headers will be exceeded.

If you have already deployed the mitigation, you can observe the impact on the traffic in the following manner:

1. A new H/2 codec counter header_list_size_too_large was added to provide visibility to the number of reset requests due to exceeding header count limit. Increase in this counter indicates the impact to the traffic.
2. An increase in the header_overflow counter indicates the limit on the total size of the header map is exceeded.
3. Additionally the connection manager level stas: downstream_rq_rx_reset can increase after enabling the mitigation if requests are reset due to exceeded limits. This counter is incremented for all stream resets, including client initiated resets.

If you observe impact on the normal user traffic, you can take the following actions:

1. Increase the max_headers_count in the HTTP connection manager protocol options. A limit of 1000 headers is a safe number from the DoS perspective if you do not know how many cookies an application is using. This limit should be increased if the header_list_size_too_large counter is increasing.
2. Increase the max_request_headers_kb in the HTTP connection manager settings . A 128Kb is a safe number from the DoS perspective if you do not know the maximum size of cookies an application is using. This limit should be increased if the header_overflow counter is increasing.

Additionally an emergency Envoy releases v1.38.2, v1.37.4, v1.36.8 and v1.35.12 are being prepared that contain the following changes to aid operators in determining safe header map limits:

1. A set of histograms with the H/2 header map stats. The histograms are disabled by default and can be enabled by setting the envoy.reloadable_features.http2_record_histograms runtime flag to true. The new histograms are:
   • header_count - total count of header entries received (including individual cookie headers).
   • header_list_size - total byte size of header map entries, total length of the re-assembled cookie.
   • cookie_count - count of individual cookie headers.
   • cookie_size - size of re-assembled cookie headers.
2. Dedicated limit on the size of re-assembled cookie header. This limit is off by default and can be set via the envoy.reloadable_features.http2_max_cookies_size_in_kb runtime value.