RATATOSKRATATOSK
Sign in

Envoy

v1.38.2Networking & Messaging
Jun 11, 2026

Envoy v1.38.2 is a small patch release: one RTDS runtime bug fix and two opt-in HTTP/2 cookie observability features. No security fixes.

  • breakingRTDS runtime guard fix changes delete behavior — verify your override logic

    If your config management deletes RTDS runtime guard overrides expecting them to revert to default, prior behavior was broken and left stale values. After upgrading to v1.38.2, deletes will now correctly restore defaults. Test any automation that removes runtime overrides to confirm it behaves as intended.

  • enhancementUse new HTTP/2 cookie size limit to guard against oversized headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag lets you cap the reassembled cookie header size in HTTP/2. If your deployment handles untrusted upstream or downstream traffic with large cookie headers, set an explicit limit to reduce memory pressure. The default is unlimited, so this is opt-in.

Key changes (3)

  • RTDS runtime fix: deleting a runtime guard override now correctly restores the default value instead of leaving stale state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length/count) via envoy.reloadable_features.http2_record_histograms — temporary, will be removed in a future release
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)