Istio
1.28.9Networking & MessagingJun 25, 2026
Istio 1.28.9 is a security release bundling 14 Envoy CVE fixes under ISTIO-SECURITY-2026-005, with the most severe issues covering HTTP/3 DoS, decompressor memory exhaustion, and JSON parsing depth limits.
Key changes (8)
- 14 Envoy CVEs fixed under ISTIO-SECURITY-2026-005, max severity HIGH
- HIGH: HTTP/3 QPACK blocked decoding DoS (GHSA-p7c7-7c47-pwch)
- HIGH: Zstd decompressor memory exhaustion from delayed MaxInflateRatio check (CVE-2026-48044)
- HIGH: JSON parser nesting depth now capped at 1000 by default, configurable via envoy.reloadable_features.limit_json_parser_nesting_depth (CVE-2026-48042)
- HIGH: HTTP/3 headers-only content-length validation fix, guarded by envoy.reloadable_features.quic_validate_headers_only_content_length (CVE-2026-48743)
- Multiple MEDIUM fixes: ext_authz use-after-free on connection reset, gRPC stats filter crash on direct response routes, SAN validation bypass with embedded NUL byte, OAuth2 filter padding oracle in AES-256-CBC cookie decryption (now supports AES-256-GCM)
- Additional MEDIUM fixes: TLV length mismatch, ext_proc unexpected response handling, HTTP 303 internal redirect issue, DNS query name length check, TcpStatsdSink buffer overflow, token callback after filter teardown
- Plus general bug fixes improving robustness alongside the security patches