RATATOSKRATATOSK
Sign in

Envoy

v1.35.12Networking & Messaging
Jun 10, 2026

Envoy v1.35.12 is a minor patch with one runtime bug fix and two opt-in HTTP/2 cookie/header observability features. No breaking changes or CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard defaults

    If you rely on RTDS to manage runtime guard overrides, test this fix in staging. Previously, deleting an override left the old value active; now it resets to the process default. Any automation that deleted overrides expecting them to persist will behave differently.

  • enhancementUse the new HTTP/2 cookie size limit to guard against oversized cookie headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag is off by default. If your deployments accept untrusted HTTP/2 traffic, consider setting a reasonable limit to bound memory usage from reassembled cookie headers. Pair it with the new histograms to first measure your actual cookie sizes before choosing a cap.

Key changes (3)

  • Runtime bug fix: deleting an RTDS runtime guard override now correctly restores the process-wide default, instead of leaving the previous override in place.
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) via envoy.reloadable_features.http2_record_histograms — note these will be removed in a future release.
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb lets you cap the size of the reassembled cookie header; no limit is enforced by default.