RATATOSKRATATOSK
Sign in

Envoy

v1.36.7Networking & Messaging
Jun 4, 2026

v1.36.7 is a security-focused patch addressing two CVEs in HTTP/2 and an HPACK cookie-bomb attack vector in the oauth2 filter, plus a crash fix. Upgrade immediately.

  • securityPatch HTTP/2 CVEs now — two CVEs affect any HTTP/2-exposed Envoy

    CVE-2026-47774 enables a cookie-bomb attack where crafted HPACK-compressed cookies inflate to exhaust Envoy memory. After patching, cookies count toward `mutable_max_request_headers_kb` and `max_headers_count`. If you see legitimate requests being reset post-upgrade, the escape hatch is the `envoy.reloadable_features.http2_include_cookies_in_limits` flag — but audit your header size limits first rather than disabling the protection. CVE-2026-27135 is an nghttp2-layer fix with no workaround; you must upgrade.

  • securityAudit oauth2 filter deployments for timing and decryption exposure

    Two oauth2 bugs fixed here are subtle but serious. The timing side-channel in HMAC verification could allow an attacker to probe secret validity over many requests. The AES-CBC crash (1/256 chance on bad tokens) is a reliability issue that could be triggered deliberately. If you use the oauth2 filter with token cookies, treat this as a high-priority upgrade — there's no configuration workaround for either issue.

  • breakingReview header size limits before deploying — cookie counting is a behavior change

    Cookies previously excluded from header size accounting now count toward limits. In practice, applications with many or large cookies may hit `max_headers_count` or `mutable_max_request_headers_kb` and get HTTP/2 stream resets where they didn't before. Before rolling out, check your current limit configurations against real traffic cookie sizes. If you need time, the reloadable feature flag lets you defer the behavior change, but don't leave it disabled long-term.

Key changes (5)

  • CVE-2026-47774: HTTP/2 streams are now reset when they exceed max header list size; uncompressed cookies now count against header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied directly to the HTTP/2 stack
  • oauth2: timing side-channel in HMAC verification closed — could have leaked whether an HMAC secret was valid
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed (~1/256 probability) on a secret mismatch, triggering a HeaderString assertion
  • load_report: shutdown race condition with ADS stream resolved via proper gRPC stream cleanup