CVE-2023-35945

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.23.11 Envoy versions prior to 1.24.9 Envoy versions prior to 1.25.8 Envoy versions prior to 1.26.3

Description Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RST STREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the GOAWAY frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return code path is taken if connection is already marked for not sending more requests due to GOAWAY frame. The clean-up code is right after the return statement, causing memory leak. This can lead to denial of service through memory exhaustion.

Recommendations For versions prior to 1.23.11, update to version 1.23.11 or later. For versions prior to 1.24.9, update to version 1.24.9 or later. For versions prior to 1.25.8, update to version 1.25.8 or later. For versions prior to 1.26.3, update to version 1.26.3 or later.