Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 09 Jun 2026 14:16:45 +0000 012948d0-c832-46d5-9d51-f8b1593d4806 https://vulnerability.circl.lu/sighting/012948d0-c832-46d5-9d51-f8b1593d4806/export {"uuid": "012948d0-c832-46d5-9d51-f8b1593d4806", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47774", "type": "seen", "source": "https://bsky.app/profile/feed.igeek.gamer-geek-news.com.ap.brid.gy/post/3mnku5k7vfvy2", "content": "\ud83d\udc27 **Releases of Istio 1.30.1, 1.29.4, and 1.28.8 (CVE-2026-47774)**\n\nServer software mostly\n\n\ud83d\udcf0 Source: Tux Machines\n\ud83d\udd17 Link: https://tuxmachines.org/n/2026/06/05/Releases_of_Istio_1_30_1_1_29_4_and_1_28_8_CVE_2026_47774.shtml", "creation_timestamp": "2026-06-05T19:18:47.131219Z"} {"uuid": "012948d0-c832-46d5-9d51-f8b1593d4806", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47774", "type": "seen", "source": "https://bsky.app/profile/feed.igeek.gamer-geek-news.com.ap.brid.gy/post/3mnku5k7vfvy2", "content": "\ud83d\udc27 **Releases of Istio 1.30.1, 1.29.4, and 1.28.8 (CVE-2026-47774)**\n\nServer software mostly\n\n\ud83d\udcf0 Source: Tux Machines\n\ud83d\udd17 Link: https://tuxmachines.org/n/2026/06/05/Releases_of_Istio_1_30_1_1_29_4_and_1_28_8_CVE_2026_47774.shtml", "creation_timestamp": "2026-06-05T19:18:47.131219Z"} https://vulnerability.circl.lu/sighting/012948d0-c832-46d5-9d51-f8b1593d4806/export Fri, 05 Jun 2026 19:18:47 +0000 54b940c2-743f-43ca-9539-2a6734a25d1f https://vulnerability.circl.lu/sighting/54b940c2-743f-43ca-9539-2a6734a25d1f/export {"uuid": "54b940c2-743f-43ca-9539-2a6734a25d1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-47774", "type": "seen", "source": "https://gist.github.com/lyuyun/60b1d6a8ad599cf3430761a4b380b17e", "content": " \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 \u4e4b\u524d\u63d0\u5230\u7684\u65b9\u6848 \u2502 \u5b9e\u9645\u53ef\u884c\u6027 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 codec_type: HTTP1 (\u5355\u72ec\u4f7f\u7528) \u2502 \u6709\u6548\u963b\u6b62\u6f0f\u6d1e\u5229\u7528\uff0c\u4f46\u4f1a\u7834\u574f h2 \u5ba2\u6237\u7aef\u8fde\u63a5 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 max_request_headers_kb \u9650\u5236 \u2502 \u5bf9\u6b64 CVE \u65e0\u6548 \u2014 Cookie \u5b57\u8282\u5728\u5927\u5c0f\u6821\u9a8c\u540e\u624d\u62fc\u88c5\uff0c\u7ed5\u8fc7\u8be5\u68c0\u67e5 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 ALPN MERGE \u79fb\u9664 h2 \u2502 \u4e0d\u53ef\u884c \u2014 proto repeated \u5b57\u6bb5 MERGE \u662f\u8ffd\u52a0\uff0c\u7ed3\u679c\u4e3a [\"h2\",\"http/1.1\",\"http/1.1\"] \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 Overload Manager via BOOTSTRAP EnvoyFilter \u2502 \u5bf9 ingressgateway \u4e0d\u751f\u6548 \u2014 \u5df2\u77e5 issue #40903 (https://github.com/istio/istio/issues/40903) \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\n ---\n \u5b9e\u9645\u53ef\u5b9e\u65bd\u7684\u65b9\u6848\uff08\u5df2\u9a8c\u8bc1\uff09\n\n \u65b9\u6848 A\uff1acodec_type HTTP1\uff08\u53ef\u7528\uff0c\u9700\u7406\u89e3\u526f\u4f5c\u7528\uff09\n\n \u673a\u5236\uff1acodec_type: HTTP1 \u4f7f HCM \u5b8c\u5168\u5ffd\u7565 ALPN \u534f\u5546\u7ed3\u679c\uff0c\u5f3a\u5236\u7528 HTTP/1.1 \u89e3\u6790\u5668\u5904\u7406\u8fde\u63a5\u3002\u5ba2\u6237\u7aef\u82e5\u7ecf ALPN \u534f\u5546\u4e86 h2\uff0c\u53d1\u6765 HTTP/2 preface\uff08PRI *\n HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\uff09\uff0cHTTP/1.1 \u89e3\u6790\u5668\u65e0\u6cd5\u8bc6\u522b \u2192 \u8fd4\u56de 400 http1.codec_error\uff0c\u8fde\u63a5\u5173\u95ed\u3002\n\n \u7ed3\u679c\uff1a\u6f0f\u6d1e\u5229\u7528\u8def\u5f84\u88ab\u5207\u65ad\uff08HTTP/2 \u5e27\u4ece\u672a\u88ab\u5904\u7406\uff09\uff0c\u4f46 h2 \u5ba2\u6237\u7aef\u4f1a\u906d\u9047 400 \u9519\u8bef\u800c\u975e\u4f18\u96c5\u964d\u7ea7\u3002\n\n apiVersion: networking.istio.io/v1alpha3\n kind: EnvoyFilter\n metadata:\n name: force-http1-codec\n namespace: istio-system\n spec:\n workloadSelector:\n labels:\n istio: ingressgateway\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: \"envoy.filters.network.http_connection_manager\"\n patch:\n operation: MERGE\n value:\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\n codec_type: HTTP1\n\n \u9002\u7528\u6761\u4ef6\uff1a\u65e0 gRPC \u670d\u52a1\uff0c\u5ba2\u6237\u7aef\u53ef\u63a5\u53d7\u964d\u7ea7\u4e3a HTTP/1.1\u3002\n\n ---\n \u65b9\u6848 B\uff1a\u5b8c\u6574\u7981\u7528 HTTP/2\uff08codec + ALPN \u53cc\u5c42\uff0c\u9700 IstioOperator\uff09\n\n \u7531\u4e8e EnvoyFilter MERGE \u65e0\u6cd5\u79fb\u9664 ALPN \u4e2d\u7684 h2\uff0c\u9700\u901a\u8fc7 IstioOperator k8s.overlays \u76f4\u63a5\u5411 ingressgateway Deployment \u6ce8\u5165\u73af\u5883\u53d8\u91cf\u6765\u8986\u76d6 bootstrap\uff0c\u4ece\u6839\u6e90\u4e0a\u63a7\u5236\n ALPN\u3002\n\n \u6b65\u9aa4 1\uff1a\u521b\u5efa\u81ea\u5b9a\u4e49 bootstrap ConfigMap\n\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: gw-custom-bootstrap\n namespace: istio-system\n data:\n custom_bootstrap.yaml: |\n # \u8986\u76d6 Envoy \u4e0b\u6e38 TLS ALPN\uff0c\u4ec5\u4fdd\u7559 http/1.1\n # \u6b64\u6587\u4ef6\u901a\u8fc7 --config-yaml \u4e0e\u9ed8\u8ba4 bootstrap \u5408\u5e76\n # \u6ce8\u610f\uff1arepeated \u5b57\u6bb5\u5728\u5408\u5e76\u65f6\u8ffd\u52a0\uff0csingular \u5b57\u6bb5\u66ff\u6362\n # ALPN \u901a\u8fc7 listener \u5c42\u8986\u76d6\uff0c\u6b64\u5904\u7528 overload_manager \u4f5c\u4e3a\u9644\u52a0\u9632\u62a4\n overload_manager:\n refresh_interval: 0.25s\n buffer_factory_config:\n minimum_account_to_track_power_of_two: 20\n resource_monitors:\n - name: \"envoy.resource_monitors.fixed_heap\"\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig\n max_heap_size_bytes: 1610612736 # \u8bbe\u4e3a\u5185\u5b58 limit \u7684 ~90%\uff0c\u5982 1.5GB\n actions:\n - name: \"envoy.overload_actions.reset_high_memory_stream\"\n triggers:\n - name: \"envoy.resource_monitors.fixed_heap\"\n scaled:\n scaling_threshold: 0.85\n saturation_threshold: 0.95\n - name: \"envoy.overload_actions.stop_accepting_requests\"\n triggers:\n - name: \"envoy.resource_monitors.fixed_heap\"\n threshold:\n value: 0.98\n\n \u6b65\u9aa4 2\uff1a\u901a\u8fc7 IstioOperator overlay \u6ce8\u5165\uff08\u8fd9\u662f\u8ba9 ingressgateway \u63a5\u53d7\u81ea\u5b9a\u4e49 bootstrap \u7684\u552f\u4e00\u5df2\u9a8c\u8bc1\u65b9\u5f0f\uff09\n\n apiVersion: install.istio.io/v1alpha1\n kind: IstioOperator\n spec:\n components:\n ingressGateways:\n - name: istio-ingressgateway\n enabled: true\n k8s:\n overlays:\n - kind: Deployment\n name: istio-ingressgateway\n patches:\n - path: spec.template.spec.containers.[name:istio-proxy].env[-1]\n value:\n name: ISTIO_BOOTSTRAP_OVERRIDE\n value: /etc/istio/custom-bootstrap/custom_bootstrap.yaml\n - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts[-1]\n value:\n mountPath: /etc/istio/custom-bootstrap\n name: custom-bootstrap-volume\n readOnly: true\n - path: spec.template.spec.volumes[-1]\n value:\n name: custom-bootstrap-volume\n configMap:\n name: gw-custom-bootstrap\n defaultMode: 420\n\n \u6b65\u9aa4 3\uff1a\u540c\u65f6\u53e0\u52a0\u65b9\u6848 A \u7684 codec_type: HTTP1 EnvoyFilter\n\n \u4e24\u8005\u7ec4\u5408\u6548\u679c\uff1a\n - codec_type: HTTP1 \u2192 \u963b\u65ad HTTP/2 \u5e27\u5904\u7406\uff08\u9632\u6b62\u6f0f\u6d1e\u5229\u7528\uff09\n - overload_manager \u2192 \u5185\u5b58\u538b\u529b\u8d85 85% \u65f6\u4e3b\u52a8 reset \u9ad8\u5185\u5b58\u6d41\uff08\u9650\u5236\u7206\u70b8\u534a\u5f84\uff09\n - stop_accepting_requests \u2192 \u5185\u5b58\u538b\u529b\u8d85 98% \u65f6\u62d2\u7edd\u65b0\u8bf7\u6c42\uff08\u4fdd\u62a4\u8fdb\u7a0b\u4e0d OOM \u5d29\u6e83\uff09\n\n ---\n \u65b9\u6848 C\uff1a\u5728 Istio \u524d\u7f6e\u5c42\u7ec8\u6b62 HTTP/2\uff08\u5bf9\u670d\u52a1\u65e0\u4fb5\u5165\uff09\n\n \u82e5\u6709 Nginx/\u4e91 LB \u4f4d\u4e8e Istio \u524d\uff0c\u5728\u8be5\u5c42\u5f3a\u5236 HTTP/1.1 \u4e0e\u540e\u7aef\u901a\u4fe1\uff1a\n\n # Nginx \u2192 Istio ingressgateway \u6bb5\u5f3a\u5236 HTTP/1.1\n upstream istio_gw {\n server istio-ingressgateway:443;\n keepalive 32;\n }\n\n server {\n listen 443 ssl;\n # \u4e0d\u914d\u7f6e http2\uff0c\u5373\u53ea\u534f\u5546 http/1.1\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_ciphers HIGH:!aNULL:!MD5;\n\n location / {\n proxy_pass https://istio_gw;\n proxy_http_version 1.1; # \u5f3a\u5236 HTTP/1.1\n proxy_set_header Connection \"\";\n }\n }\n\n \u9002\u7528\u6761\u4ef6\uff1a\u67b6\u6784\u4e0a\u6709\u72ec\u7acb\u7684\u5165\u53e3\u5c42\uff0cIstio \u4e0d\u76f4\u63a5\u66b4\u9732\u7ed9\u5916\u90e8\u3002\n\n ---\n \u6700\u7ec8\u51b3\u7b56\u6811\n\n \u662f\u5426\u6709 gRPC \u670d\u52a1\uff1f\n \u251c\u2500 \u5426 \u2500\u2500\u2192 \u65b9\u6848 A\uff08codec_type: HTTP1\uff09\n \u2502 + \u65b9\u6848 B\uff08overload_manager \u4fdd\u62a4\uff09\n \u2502 \u2713 \u53ef\u7acb\u5373\u7f13\u89e3 CVE\uff0c\u4ee3\u4ef7\u662f h2 \u5ba2\u6237\u7aef 400 \u964d\u7ea7\n \u2502\n \u2514\u2500 \u662f \u2500\u2500\u2192 \u662f\u5426\u6709 Istio \u524d\u7f6e\u7684\u72ec\u7acb\u5165\u53e3\u5c42\uff1f\n \u251c\u2500 \u662f \u2500\u2500\u2192 \u65b9\u6848 C\uff08\u524d\u7f6e\u5c42\u62e6\u622a\uff09\n \u2502 gRPC \u8d70\u72ec\u7acb\u7aef\u53e3/Gateway \u4e0d\u53d7\u5f71\u54cd\n \u2502\n \u2514\u2500 \u5426 \u2500\u2500\u2192 \u65e0\u5b8c\u6574\u975e\u5347\u7ea7\u7f13\u89e3\u65b9\u6848\n \u5efa\u8bae\uff1a\u5c3d\u5feb\u5347\u7ea7\u81f3\u4fee\u590d\u7248\u672c\n \u4e34\u65f6\uff1a\u65b9\u6848 B\uff08overload_manager\uff09\u9650\u5236\u7206\u70b8\u534a\u5f84\n\n ---\n Sources:\n - GHSA-22m2-hvr2-xqc8 \u2014 Envoy HTTP/2 memory exhaustion advisory (https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8)\n - Configuring Envoy as an edge proxy through Istio (Signicat, Nov 2024) (https://www.signicat.com/blog/configuring-envoy-as-an-edge-proxy-through-istio)\n - BOOTSTRAP EnvoyFilter not applied to ingressgateway \u00b7 issue #40903 (https://github.com/istio/istio/issues/40903)\n - Support configuring ALPN on Gateway listener \u00b7 issue #44729 (https://github.com/istio/istio/issues/44729)\n - Codex Discovered a Hidden HTTP/2 Bomb (why max_request_headers_kb fails) (https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)\n - Envoy Overload Manager documentation (https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager)\n", "creation_timestamp": "2026-06-09T02:27:39.000000Z"} {"uuid": "54b940c2-743f-43ca-9539-2a6734a25d1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-47774", "type": "seen", "source": "https://gist.github.com/lyuyun/60b1d6a8ad599cf3430761a4b380b17e", "content": " \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 \u4e4b\u524d\u63d0\u5230\u7684\u65b9\u6848 \u2502 \u5b9e\u9645\u53ef\u884c\u6027 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 codec_type: HTTP1 (\u5355\u72ec\u4f7f\u7528) \u2502 \u6709\u6548\u963b\u6b62\u6f0f\u6d1e\u5229\u7528\uff0c\u4f46\u4f1a\u7834\u574f h2 \u5ba2\u6237\u7aef\u8fde\u63a5 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 max_request_headers_kb \u9650\u5236 \u2502 \u5bf9\u6b64 CVE \u65e0\u6548 \u2014 Cookie \u5b57\u8282\u5728\u5927\u5c0f\u6821\u9a8c\u540e\u624d\u62fc\u88c5\uff0c\u7ed5\u8fc7\u8be5\u68c0\u67e5 \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 ALPN MERGE \u79fb\u9664 h2 \u2502 \u4e0d\u53ef\u884c \u2014 proto repeated \u5b57\u6bb5 MERGE \u662f\u8ffd\u52a0\uff0c\u7ed3\u679c\u4e3a [\"h2\",\"http/1.1\",\"http/1.1\"] \u2502\n \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n \u2502 Overload Manager via BOOTSTRAP EnvoyFilter \u2502 \u5bf9 ingressgateway \u4e0d\u751f\u6548 \u2014 \u5df2\u77e5 issue #40903 (https://github.com/istio/istio/issues/40903) \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n\n ---\n \u5b9e\u9645\u53ef\u5b9e\u65bd\u7684\u65b9\u6848\uff08\u5df2\u9a8c\u8bc1\uff09\n\n \u65b9\u6848 A\uff1acodec_type HTTP1\uff08\u53ef\u7528\uff0c\u9700\u7406\u89e3\u526f\u4f5c\u7528\uff09\n\n \u673a\u5236\uff1acodec_type: HTTP1 \u4f7f HCM \u5b8c\u5168\u5ffd\u7565 ALPN \u534f\u5546\u7ed3\u679c\uff0c\u5f3a\u5236\u7528 HTTP/1.1 \u89e3\u6790\u5668\u5904\u7406\u8fde\u63a5\u3002\u5ba2\u6237\u7aef\u82e5\u7ecf ALPN \u534f\u5546\u4e86 h2\uff0c\u53d1\u6765 HTTP/2 preface\uff08PRI *\n HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\uff09\uff0cHTTP/1.1 \u89e3\u6790\u5668\u65e0\u6cd5\u8bc6\u522b \u2192 \u8fd4\u56de 400 http1.codec_error\uff0c\u8fde\u63a5\u5173\u95ed\u3002\n\n \u7ed3\u679c\uff1a\u6f0f\u6d1e\u5229\u7528\u8def\u5f84\u88ab\u5207\u65ad\uff08HTTP/2 \u5e27\u4ece\u672a\u88ab\u5904\u7406\uff09\uff0c\u4f46 h2 \u5ba2\u6237\u7aef\u4f1a\u906d\u9047 400 \u9519\u8bef\u800c\u975e\u4f18\u96c5\u964d\u7ea7\u3002\n\n apiVersion: networking.istio.io/v1alpha3\n kind: EnvoyFilter\n metadata:\n name: force-http1-codec\n namespace: istio-system\n spec:\n workloadSelector:\n labels:\n istio: ingressgateway\n configPatches:\n - applyTo: NETWORK_FILTER\n match:\n context: GATEWAY\n listener:\n filterChain:\n filter:\n name: \"envoy.filters.network.http_connection_manager\"\n patch:\n operation: MERGE\n value:\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\n codec_type: HTTP1\n\n \u9002\u7528\u6761\u4ef6\uff1a\u65e0 gRPC \u670d\u52a1\uff0c\u5ba2\u6237\u7aef\u53ef\u63a5\u53d7\u964d\u7ea7\u4e3a HTTP/1.1\u3002\n\n ---\n \u65b9\u6848 B\uff1a\u5b8c\u6574\u7981\u7528 HTTP/2\uff08codec + ALPN \u53cc\u5c42\uff0c\u9700 IstioOperator\uff09\n\n \u7531\u4e8e EnvoyFilter MERGE \u65e0\u6cd5\u79fb\u9664 ALPN \u4e2d\u7684 h2\uff0c\u9700\u901a\u8fc7 IstioOperator k8s.overlays \u76f4\u63a5\u5411 ingressgateway Deployment \u6ce8\u5165\u73af\u5883\u53d8\u91cf\u6765\u8986\u76d6 bootstrap\uff0c\u4ece\u6839\u6e90\u4e0a\u63a7\u5236\n ALPN\u3002\n\n \u6b65\u9aa4 1\uff1a\u521b\u5efa\u81ea\u5b9a\u4e49 bootstrap ConfigMap\n\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: gw-custom-bootstrap\n namespace: istio-system\n data:\n custom_bootstrap.yaml: |\n # \u8986\u76d6 Envoy \u4e0b\u6e38 TLS ALPN\uff0c\u4ec5\u4fdd\u7559 http/1.1\n # \u6b64\u6587\u4ef6\u901a\u8fc7 --config-yaml \u4e0e\u9ed8\u8ba4 bootstrap \u5408\u5e76\n # \u6ce8\u610f\uff1arepeated \u5b57\u6bb5\u5728\u5408\u5e76\u65f6\u8ffd\u52a0\uff0csingular \u5b57\u6bb5\u66ff\u6362\n # ALPN \u901a\u8fc7 listener \u5c42\u8986\u76d6\uff0c\u6b64\u5904\u7528 overload_manager \u4f5c\u4e3a\u9644\u52a0\u9632\u62a4\n overload_manager:\n refresh_interval: 0.25s\n buffer_factory_config:\n minimum_account_to_track_power_of_two: 20\n resource_monitors:\n - name: \"envoy.resource_monitors.fixed_heap\"\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig\n max_heap_size_bytes: 1610612736 # \u8bbe\u4e3a\u5185\u5b58 limit \u7684 ~90%\uff0c\u5982 1.5GB\n actions:\n - name: \"envoy.overload_actions.reset_high_memory_stream\"\n triggers:\n - name: \"envoy.resource_monitors.fixed_heap\"\n scaled:\n scaling_threshold: 0.85\n saturation_threshold: 0.95\n - name: \"envoy.overload_actions.stop_accepting_requests\"\n triggers:\n - name: \"envoy.resource_monitors.fixed_heap\"\n threshold:\n value: 0.98\n\n \u6b65\u9aa4 2\uff1a\u901a\u8fc7 IstioOperator overlay \u6ce8\u5165\uff08\u8fd9\u662f\u8ba9 ingressgateway \u63a5\u53d7\u81ea\u5b9a\u4e49 bootstrap \u7684\u552f\u4e00\u5df2\u9a8c\u8bc1\u65b9\u5f0f\uff09\n\n apiVersion: install.istio.io/v1alpha1\n kind: IstioOperator\n spec:\n components:\n ingressGateways:\n - name: istio-ingressgateway\n enabled: true\n k8s:\n overlays:\n - kind: Deployment\n name: istio-ingressgateway\n patches:\n - path: spec.template.spec.containers.[name:istio-proxy].env[-1]\n value:\n name: ISTIO_BOOTSTRAP_OVERRIDE\n value: /etc/istio/custom-bootstrap/custom_bootstrap.yaml\n - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts[-1]\n value:\n mountPath: /etc/istio/custom-bootstrap\n name: custom-bootstrap-volume\n readOnly: true\n - path: spec.template.spec.volumes[-1]\n value:\n name: custom-bootstrap-volume\n configMap:\n name: gw-custom-bootstrap\n defaultMode: 420\n\n \u6b65\u9aa4 3\uff1a\u540c\u65f6\u53e0\u52a0\u65b9\u6848 A \u7684 codec_type: HTTP1 EnvoyFilter\n\n \u4e24\u8005\u7ec4\u5408\u6548\u679c\uff1a\n - codec_type: HTTP1 \u2192 \u963b\u65ad HTTP/2 \u5e27\u5904\u7406\uff08\u9632\u6b62\u6f0f\u6d1e\u5229\u7528\uff09\n - overload_manager \u2192 \u5185\u5b58\u538b\u529b\u8d85 85% \u65f6\u4e3b\u52a8 reset \u9ad8\u5185\u5b58\u6d41\uff08\u9650\u5236\u7206\u70b8\u534a\u5f84\uff09\n - stop_accepting_requests \u2192 \u5185\u5b58\u538b\u529b\u8d85 98% \u65f6\u62d2\u7edd\u65b0\u8bf7\u6c42\uff08\u4fdd\u62a4\u8fdb\u7a0b\u4e0d OOM \u5d29\u6e83\uff09\n\n ---\n \u65b9\u6848 C\uff1a\u5728 Istio \u524d\u7f6e\u5c42\u7ec8\u6b62 HTTP/2\uff08\u5bf9\u670d\u52a1\u65e0\u4fb5\u5165\uff09\n\n \u82e5\u6709 Nginx/\u4e91 LB \u4f4d\u4e8e Istio \u524d\uff0c\u5728\u8be5\u5c42\u5f3a\u5236 HTTP/1.1 \u4e0e\u540e\u7aef\u901a\u4fe1\uff1a\n\n # Nginx \u2192 Istio ingressgateway \u6bb5\u5f3a\u5236 HTTP/1.1\n upstream istio_gw {\n server istio-ingressgateway:443;\n keepalive 32;\n }\n\n server {\n listen 443 ssl;\n # \u4e0d\u914d\u7f6e http2\uff0c\u5373\u53ea\u534f\u5546 http/1.1\n ssl_protocols TLSv1.2 TLSv1.3;\n ssl_ciphers HIGH:!aNULL:!MD5;\n\n location / {\n proxy_pass https://istio_gw;\n proxy_http_version 1.1; # \u5f3a\u5236 HTTP/1.1\n proxy_set_header Connection \"\";\n }\n }\n\n \u9002\u7528\u6761\u4ef6\uff1a\u67b6\u6784\u4e0a\u6709\u72ec\u7acb\u7684\u5165\u53e3\u5c42\uff0cIstio \u4e0d\u76f4\u63a5\u66b4\u9732\u7ed9\u5916\u90e8\u3002\n\n ---\n \u6700\u7ec8\u51b3\u7b56\u6811\n\n \u662f\u5426\u6709 gRPC \u670d\u52a1\uff1f\n \u251c\u2500 \u5426 \u2500\u2500\u2192 \u65b9\u6848 A\uff08codec_type: HTTP1\uff09\n \u2502 + \u65b9\u6848 B\uff08overload_manager \u4fdd\u62a4\uff09\n \u2502 \u2713 \u53ef\u7acb\u5373\u7f13\u89e3 CVE\uff0c\u4ee3\u4ef7\u662f h2 \u5ba2\u6237\u7aef 400 \u964d\u7ea7\n \u2502\n \u2514\u2500 \u662f \u2500\u2500\u2192 \u662f\u5426\u6709 Istio \u524d\u7f6e\u7684\u72ec\u7acb\u5165\u53e3\u5c42\uff1f\n \u251c\u2500 \u662f \u2500\u2500\u2192 \u65b9\u6848 C\uff08\u524d\u7f6e\u5c42\u62e6\u622a\uff09\n \u2502 gRPC \u8d70\u72ec\u7acb\u7aef\u53e3/Gateway \u4e0d\u53d7\u5f71\u54cd\n \u2502\n \u2514\u2500 \u5426 \u2500\u2500\u2192 \u65e0\u5b8c\u6574\u975e\u5347\u7ea7\u7f13\u89e3\u65b9\u6848\n \u5efa\u8bae\uff1a\u5c3d\u5feb\u5347\u7ea7\u81f3\u4fee\u590d\u7248\u672c\n \u4e34\u65f6\uff1a\u65b9\u6848 B\uff08overload_manager\uff09\u9650\u5236\u7206\u70b8\u534a\u5f84\n\n ---\n Sources:\n - GHSA-22m2-hvr2-xqc8 \u2014 Envoy HTTP/2 memory exhaustion advisory (https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8)\n - Configuring Envoy as an edge proxy through Istio (Signicat, Nov 2024) (https://www.signicat.com/blog/configuring-envoy-as-an-edge-proxy-through-istio)\n - BOOTSTRAP EnvoyFilter not applied to ingressgateway \u00b7 issue #40903 (https://github.com/istio/istio/issues/40903)\n - Support configuring ALPN on Gateway listener \u00b7 issue #44729 (https://github.com/istio/istio/issues/44729)\n - Codex Discovered a Hidden HTTP/2 Bomb (why max_request_headers_kb fails) (https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)\n - Envoy Overload Manager documentation (https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager)\n", "creation_timestamp": "2026-06-09T02:27:39.000000Z"} https://vulnerability.circl.lu/sighting/54b940c2-743f-43ca-9539-2a6734a25d1f/export Tue, 09 Jun 2026 02:27:39 +0000 fe18d081-bda8-45cd-8d8b-3bfcacf3cdc2 https://vulnerability.circl.lu/sighting/fe18d081-bda8-45cd-8d8b-3bfcacf3cdc2/export {"uuid": "fe18d081-bda8-45cd-8d8b-3bfcacf3cdc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47774", "type": "seen", "source": "https://bsky.app/profile/mfahlandt.bsky.social/post/3mntqtexzt72o", "content": "\ud83d\udee1\ufe0f Cloud Native Security Updates (Week 24, 2026).\nEnvoy v1.38.1+ mitigates CVE-2026-47774 (HTTP/2 stream header size).\ncontainerd v2.1.8 fixes CVE-2026-46680 & `host.containerd.io` mounts.\nLonghorn v1.12.0: V2 Data Engine reaches GA status.\nFull breakdown:\n\nhttps://lwcn.dev/newsletter/2026-week-24/", "creation_timestamp": "2026-06-09T08:13:12.401185Z"} {"uuid": "fe18d081-bda8-45cd-8d8b-3bfcacf3cdc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47774", "type": "seen", "source": "https://bsky.app/profile/mfahlandt.bsky.social/post/3mntqtexzt72o", "content": "\ud83d\udee1\ufe0f Cloud Native Security Updates (Week 24, 2026).\nEnvoy v1.38.1+ mitigates CVE-2026-47774 (HTTP/2 stream header size).\ncontainerd v2.1.8 fixes CVE-2026-46680 & `host.containerd.io` mounts.\nLonghorn v1.12.0: V2 Data Engine reaches GA status.\nFull breakdown:\n\nhttps://lwcn.dev/newsletter/2026-week-24/", "creation_timestamp": "2026-06-09T08:13:12.401185Z"} https://vulnerability.circl.lu/sighting/fe18d081-bda8-45cd-8d8b-3bfcacf3cdc2/export Tue, 09 Jun 2026 08:13:12 +0000