Envoy
v1.34.13Networking & MessagingCritical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.
securityUpgrade immediately for RBAC bypass fix
CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.
securityPatch IPv6 crash vulnerability in production
CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.
securityAddress JSON processing memory corruption
CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.
Key changes (5)
- Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
- Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
- Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
- Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
- Corrected OAuth2 refresh request host rewriting behavior