RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Envoy

Networking & MessagingYesterdayJul 14, 2026

Envoy v1.39.0 is a major release combining several breaking behavior changes (mandatory keyUsage enforcement, disabled DLB balancer, stricter TLS inspector validation, changed OTel sampling behavior) with a large batch of roughly 20 medium-severity CVE fixes spanning HTTP/2, HTTP/3, ext_authz, ext_proc, OAuth2, DNS, and several other subsystems. It also ships extensive non-actionable feature and performance work, including dynamic-modules extension points and a new streaming JSON parser for AI protocols.

  • securityBroad CVE batch fixed across core protocol and extension code

    This release fixes roughly 20 CVEs across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression, all rated medium by the notes. Notable ones include HTTP/2 cookie-based header-limit bypass (CVE-2026-47774), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and Zstd decompression memory exhaustion (CVE-2026-48044). The fixes ship in v1.39.0.

  • securityOAuth2 cookie encryption moves to AES-256-GCM (opt-in migration)

    OAuth2 adds AES-256-GCM cookie encryption to address CVE-2026-47775, replacing the older CBC-based scheme. Migration is opt-in: enable oauth2_use_gcm_encryption, monitor the oauth_legacy_cbc_decrypt metric, then disable oauth2_legacy_cbc_decrypt_compat once legacy decryption is no longer observed.

  • breakingCertificate keyUsage enforcement is now mandatory

    Envoy now always enforces the certificate keyUsage extension; the enforce_rsa_key_usage field is deprecated and ignored. This applies unconditionally starting in v1.39.0, so certificates that previously relied on lax enforcement may now fail validation.

  • breakingDLB connection balancer disabled in all builds

    The Intel DLB connection balancer (envoy.network.connection_balance.dlb) is disabled in all builds because of a broken source archive. This applies wherever that extension is configured.

  • breakingTLS inspector now rejects out-of-range client TLS versions

    The TLS inspector now validates that client TLS versions fall between 1.0 and 1.3, rejecting anything outside that range. The check is unconditional in v1.39.0 but can be reverted with envoy.reloadable_features.tls_inspector_enforce_client_tls_version.

  • breakingOTel tracing now defers to Envoy's own sampling decision

    The OpenTelemetry tracer now honors Envoy's own request-entry sampling decision, including overall_sampling, even when a propagated trace context or configured sampler requests sampling. This applies to deployments relying on downstream or context-based sampling overriding Envoy's local config, and may reduce the volume of exported spans.

Key changes (8)
  • Roughly 20 medium-severity CVE fixes across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression; notable ones include CVE-2026-47774 (HTTP/2 cookie header-limit bypass), GHSA-p7c7-7c47-pwch (HTTP/3 QPACK DoS), and CVE-2026-48044 (Zstd memory exhaustion)
  • OAuth2 gains AES-256-GCM cookie encryption (CVE-2026-47775) with an opt-in, staged migration path off legacy CBC decryption
  • Certificate keyUsage enforcement is now mandatory (enforce_rsa_key_usage deprecated); TLS inspector now rejects client TLS versions outside 1.0-1.3
  • Intel DLB connection balancer extension disabled in all builds due to a broken source archive
  • OpenTelemetry tracer now defers to Envoy's own sampling decision (including overall_sampling), which may reduce exported spans
  • Unified DNS cluster implementation is now the default, enabling shared c-ares resolvers and qcache across clusters
  • HeaderMatcher now matches separately supplied header values individually rather than only their comma-joined form (revertible via feature gate)
  • Large non-actionable batch: dynamic-modules extension points and Rust SDK, new Wuffs-based streaming JSON parser for MCP/A2A/OpenAI/Anthropic, new bandwidth-sharing and sub-filter-chain HTTP filters, CNSA/post-quantum TLS policies, io_uring and SO_REUSEPORT BPF performance work, plus numerous bugfixes (connection-pool re-entrancy, DNS resolver leaks, Golang filter re-entry)
Source

gRPC

Networking & MessagingJul 8, 2026

gRPC v1.82.1 is a narrow patch release that only raises the Python protobuf lower bound from 6.33.5 to 7.35.1. This is a breaking change for anyone pinned to an older protobuf release and should be checked before upgrading.

  • breakingprotobuf lower bound raised to 7.35.1

    The minimum required protobuf version has moved from 6.33.5 to 7.35.1. Projects pinned to protobuf below 7.35.1 will fail to resolve dependencies against this gRPC release and need to bump their protobuf pin before upgrading.

Key changes (1)
  • Python dependency constraint: protobuf minimum raised from 6.33.5 to 7.35.1
Source

gRPC

Networking & MessagingJul 2, 2026

gRPC 1.82.0 is a routine release with incremental Core, PHP, Python, and Ruby fixes and no security issues or breaking changes. Highlights are two xDS protocol additions (A85 ORCA-to-LRS, A114 weighted round robin) alongside a batch of smaller bug fixes.

Key changes (8)
  • No CVEs, breaking API removals, or deprecations in this release
  • xDS gains ORCA-to-LRS propagation (gRFC A85) and weighted round robin support for custom backend metrics (A114)
  • Call credentials can now look up and attach regional access boundary policy metadata
  • Python aio fixes: 100% CPU loop under the -O flag, and calls now cancel without closing channels in fork children
  • Ruby adds pure Ruby call credentials and fixes interceptors to run in FIFO order as intended
  • POSIX socket fix: file descriptor 0 was wrongly treated as invalid; CFStream callbacks now unregister on endpoint shutdown
  • PHP extension backport adds PIE support; Python gains Pyright/Typeguard type-checking on aio call and metadata modules
  • Plus a RetryFilter fix avoiding a spurious abseil nullopt assertion
Source

Istio

Networking & MessagingJul 1, 2026

Istio 1.28.10 is a routine patch release with a single bug fix: a memory leak in the krt controller framework that accumulated stale reverse-index entries whenever a Fetch filter key changed.

Key changes (1)
  • Fixed a memory leak in the krt controller where changing a Fetch filter key (e.g., relabeling a pod to a different waypoint) left stale reverse-index entries, causing unbounded memory growth and unnecessary recomputations over time
Source
Browse by month