Envoy
v1.38.1Networking & Messagingv1.38.1 is a security-focused patch addressing two HTTP/2 CVEs and two oauth2 vulnerabilities — upgrade immediately if running HTTP/2 or oauth2 filter.
securityPatch HTTP/2 and oauth2 CVEs now — don't wait for your next maintenance window
Two HTTP/2 CVEs (cookie-bomb memory exhaustion via HPACK and nghttp2 CVE-2026-27135) plus two oauth2 bugs (timing oracle and a crash-as-auth-bypass) make this a must-apply patch. If you're running the oauth2 filter, the HMAC timing side-channel is particularly nasty — attackers could probe HMAC secret validity over time. Upgrade to v1.38.1 immediately. The new HTTP/2 header limit behavior is enabled by default; only revert with `envoy.reloadable_features.http2_include_cookies_in_limits` if you have a specific, documented reason.
breakingUpstream failure reason stripped from HTTP response bodies — check your client error handling
Any downstream client or API consumer that parses or displays the upstream transport failure reason from the HTTP response body will now get nothing. The information is still in access logs. Audit your clients and dashboards before upgrading — if something depends on that response body content, you have a short window to either update the client or re-enable the old behavior with `envoy.reloadable_features.hide_transport_failure_reason_in_response_body`.
breakingEDS batch LB rebuild coalescing is now opt-in — test under high-churn service discovery
Load balancer rebuild coalescing during EDS batch host updates is disabled by default. Environments with large EDS clusters and frequent host churn (e.g., Kubernetes rolling deployments with many pods) may see increased CPU from more frequent LB rebuilds. Benchmark your control-plane interaction patterns after upgrading. Re-enable the old behavior with `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update` if you observe performance regression.
Key changes (5)
- CVE-2026-47774: HTTP/2 streams now reset on max header list size violations; uncompressed cookies count toward header size/count limits to block HPACK cookie-bomb attacks
- CVE-2026-27135: nghttp2 patch applied — affects all HTTP/2 traffic
- oauth2: timing side-channel in HMAC verification fixed, preventing secret validity leakage
- oauth2: crash fixed where AES-CBC decryption could spuriously succeed on secret mismatch (~1/256 probability), triggering a HeaderString assert
- Router no longer includes upstream transport failure reason in HTTP response body — only in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%