RATATOSKRATATOSK
Sign in

Istio

1.28.9Networking & Messaging
Jun 25, 2026

Istio 1.28.9 is a security release bundling 14 Envoy CVE fixes under ISTIO-SECURITY-2026-005, with the most severe issues covering HTTP/3 DoS, decompressor memory exhaustion, and JSON parsing depth limits.

Key changes (8)

  • 14 Envoy CVEs fixed under ISTIO-SECURITY-2026-005, max severity HIGH
  • HIGH: HTTP/3 QPACK blocked decoding DoS (GHSA-p7c7-7c47-pwch)
  • HIGH: Zstd decompressor memory exhaustion from delayed MaxInflateRatio check (CVE-2026-48044)
  • HIGH: JSON parser nesting depth now capped at 1000 by default, configurable via envoy.reloadable_features.limit_json_parser_nesting_depth (CVE-2026-48042)
  • HIGH: HTTP/3 headers-only content-length validation fix, guarded by envoy.reloadable_features.quic_validate_headers_only_content_length (CVE-2026-48743)
  • Multiple MEDIUM fixes: ext_authz use-after-free on connection reset, gRPC stats filter crash on direct response routes, SAN validation bypass with embedded NUL byte, OAuth2 filter padding oracle in AES-256-CBC cookie decryption (now supports AES-256-GCM)
  • Additional MEDIUM fixes: TLV length mismatch, ext_proc unexpected response handling, HTTP 303 internal redirect issue, DNS query name length check, TcpStatsdSink buffer overflow, token callback after filter teardown
  • Plus general bug fixes improving robustness alongside the security patches