RATATOSKRATATOSK
Sign in

Envoy

v1.35.11Networking & Messaging
Jun 4, 2026

v1.35.11 is a security-focused patch fixing two HTTP/2 CVEs and two oauth2 vulnerabilities — upgrade immediately if you're running HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 HPACK cookie-bomb vulnerability now

    CVE-2026-47774 allows an attacker to craft requests with large numbers of HPACK-compressed cookies that decompress into massive header payloads, causing excessive memory usage. The fix resets offending streams and counts cookies toward existing header size limits. Roll out this patch to any Envoy instance terminating HTTP/2 traffic. If you hit legitimate regressions with cookie-heavy workloads, the flag `envoy.reloadable_features.http2_include_cookies_in_limits` can temporarily revert the behavior — but treat that as a short-term workaround, not a solution.

  • securityUpgrade if you use the oauth2 filter — two separate fixes here

    There are two distinct oauth2 issues fixed: a timing side-channel in HMAC verification (exploitable via repeated probing to determine secret validity) and a crash from incorrect AES-CBC decryption behavior on secret mismatch. The crash was probabilistic (~1/256 per request) but real. If your deployment uses Envoy's built-in oauth2 filter for token validation, this patch directly reduces both crash risk and secret exposure surface.

  • enhancementEvaluate stats eviction for high-cardinality metric environments

    The new `stats_eviction_interval` config allows Envoy to periodically purge unused metrics from memory. If you're running workloads with dynamic or high-cardinality labels (e.g., per-request or per-user stats), this can meaningfully reduce memory footprint over time. Test in staging first — eviction behavior depends on whether extensions implement the evictable metrics interface, so not all metrics will be affected.

Key changes (5)

  • CVE-2026-47774: HTTP/2 streams now reset on max header list size violations; uncompressed cookies count toward header limits, blocking HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 upstream patch applied directly
  • oauth2: timing side-channel in HMAC verification closed — could previously leak secret validity under timing analysis
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed (~1/256 chance) on secret mismatch, triggering an assertion
  • Stats: evictable metrics support added with configurable eviction interval to reduce memory pressure from unused metrics