RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: EnvoyClear ×

Envoy

Networking & MessagingJun 23, 2026

Envoy v1.38.3 is a security-only release patching 15 CVEs plus one upstream wasmtime CVE. Two issues are rated critical: a TLS SAN NUL-byte auth bypass (CVE-2026-47778) and HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743); the remaining 13 are rated high, covering crashes, a zip-bomb DoS, a PKCE padding oracle, a 65 KB upstream data spillover, and a heap buffer overflow.

  • securityCRITICAL: TLS SAN NUL-byte auth bypass (CVE-2026-47778)

    CVE-2026-47778 (GHSA-f8x4-rw5x-f3r7): a NUL byte embedded in a TLS SAN causes truncation during comparison, allowing an attacker to bypass certificate-based authentication. Upgrade to v1.38.3 unconditionally.

  • securityCRITICAL: HTTP/3 to HTTP/1 request smuggling (CVE-2026-48743)

    CVE-2026-48743 (GHSA-8phg-2h2q-jgxf): a headers-only HTTP/3 request carrying a nonzero Content-Length can be smuggled into a downstream HTTP/1 backend. Any deployment proxying HTTP/3 to HTTP/1 is affected. Upgrade to v1.38.3.

  • securityHIGH: PROXY Protocol v2 upstream data spillover (CVE-2026-47692)

    CVE-2026-47692 (GHSA-wh36-hm39-mm3r): the PROXY Protocol v2 header generator leaks "skipped" TLVs, spilling up to 65 KB of attacker-controlled data into the upstream application stream. Upgrade to v1.38.3.

  • breakingIntel DLB connection balancer extension removed

    The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) has been disabled at the Bazel build layer in v1.38.3 due to a broken source archive. Any deployment that relied on this extension must migrate to an alternative connection balancer.

  • breakingTLS certificate Brotli compression now disabled by default

    The runtime guard envoy.reloadable_features.tls_certificate_compression_brotli is now disabled by default. When off, QUIC uses zlib-only certificate compression and TCP TLS performs no certificate compression. If you depended on Brotli compression for TLS certificates, re-enable this flag explicitly after upgrading.

Key changes (8)
  • CRITICAL: TLS SAN NUL-byte truncation enables certificate auth bypass (CVE-2026-47778, max severity across all 15 CVEs)
  • CRITICAL: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length (CVE-2026-48743)
  • HIGH: PROXY Protocol v2 leaks up to 65 KB of attacker-controlled data into upstream stream (CVE-2026-47692); OAuth2 PKCE padding oracle (CVE-2026-47775) and UAF/crash on async token completion after stream teardown (CVE-2026-48090)
  • HIGH: Crashes fixed in authz per-route (CVE-2026-47205), router internal redirects (CVE-2026-47221), REQUESTED_SERVER_NAME (CVE-2026-47220), grpc_stats filter on Connect-to-direct_response (CVE-2026-47204), and ext_proc single-gRPC-message response (CVE-2026-47207)
  • HIGH: zstd RLE zip bomb DoS (CVE-2026-48044), JSON deeply-nested destructor stack overflow (CVE-2026-48042), DNS UDP filter abnormal termination (CVE-2026-48497), TcpStatsdSink heap buffer overflow (CVE-2026-48706), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch)
  • wasmtime dependency bumped to resolve CVE-2026-47261 (medium severity)
  • Intel DLB contrib extension (envoy.network.connection_balance.dlb) disabled in all builds due to broken source archive
  • Runtime guard envoy.reloadable_features.tls_certificate_compression_brotli flipped to disabled by default; TCP TLS will no longer compress certificates and QUIC reverts to zlib-only
Source

Envoy

Networking & MessagingJun 23, 2026

Envoy v1.37.5 is a security-only release fixing 15 Envoy CVEs/GHSAs and one upstream dependency CVE, with severities reaching critical. Three critical issues stand out: HTTP/3-to-HTTP/1 request smuggling, TLS SAN auth bypass via embedded NUL bytes, and a PROXY Protocol v2 spillover that puts attacker-controlled data into upstream streams. All v1.37.x deployments should upgrade without delay.

  • securityCritical: HTTP/3 to HTTP/1 request smuggling (CVE-2026-48743)

    CVE-2026-48743 (GHSA-8phg-2h2q-jgxf): HTTP/3 requests with headers-only and a nonzero Content-Length can smuggle requests into HTTP/1 upstream connections. Applies to any deployment terminating HTTP/3 and proxying to HTTP/1 backends. Upgrade immediately.

  • securityCritical: TLS SAN NUL-byte auth bypass (CVE-2026-47778)

    CVE-2026-47778 (GHSA-f8x4-rw5x-f3r7): A TLS SAN containing an embedded NUL byte is truncated at that byte during comparison, allowing a certificate to match patterns it should not. Any deployment making auth decisions based on TLS SAN validation is affected. Upgrade immediately.

  • securityCritical: PROXY Protocol v2 TLV spillover into upstream stream (CVE-2026-47692)

    CVE-2026-47692 (GHSA-wh36-hm39-mm3r): The PROXY Protocol v2 header generator emits TLVs that were supposed to be skipped, spilling up to 65 KB of attacker-controlled data into the upstream application stream. Affects deployments that generate PROXY Protocol v2 headers toward upstreams. Upgrade immediately.

  • securityHigh: Two OAuth2 filter vulnerabilities (padding oracle + UAF)

    CVE-2026-47775 and CVE-2026-48090 (GHSA-396h-jpq4-vc7p, GHSA-3cj2-c63f-q26f): The OAuth2 filter has a PKCE code-verifier padding oracle and a use-after-free risk when an async token fetch completes after stream teardown. Both affect deployments using envoy.filters.http.oauth2.

  • securityHigh: HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch)

    HTTP/3 QPACK blocked decoding (GHSA-p7c7-7c47-pwch) can be exploited to cause a DoS against the HTTP/3 stack. Affects any deployment serving HTTP/3.

  • securityHigh: grpc_stats filter segfault on Connect protocol (CVE-2026-47204)

    CVE-2026-47204 (GHSA-3jxh-8p6x-7pf6): The grpc_stats filter segfaults on Connect-protocol requests routed to direct_response routes. Affects deployments using envoy.filters.http.grpc_stats.

  • breakingIntel DLB connection balancer contrib extension disabled at build time

    The envoy.network.connection_balance.dlb contrib extension (Intel DLB connection balancer) has been disabled at the Bazel build layer across all platforms due to a source archive breakage. Deployments relying on this extension must pursue a local workaround or alternative balancing strategy until the source issue is resolved.

Key changes (5)
  • Three critical CVEs fixed: HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743), TLS SAN NUL-byte auth bypass (CVE-2026-47778), and PROXY Protocol v2 65 KB upstream stream spillover (CVE-2026-47692).
  • Nine additional high-severity CVEs fixed, covering OAuth2 padding oracle and UAF (CVE-2026-47775, CVE-2026-48090), HTTP/3 QPACK DoS (GHSA-p7c7-7c47-pwch), grpc_stats segfault (CVE-2026-47204), DNS UDP filter abnormal termination (CVE-2026-48497), TcpStatsdSink heap buffer overflow (CVE-2026-48706), deep JSON nesting stack overflow (CVE-2026-48042), router internal redirects crash (CVE-2026-47221), REQUESTED_SERVER_NAME crash (CVE-2026-47220), ext_proc gRPC response crash (CVE-2026-47207), and authz per-route crash (CVE-2026-47205).
  • zstd decompression RLE zip-bomb DoS (CVE-2026-48044, high) fixed; affects deployments using the zstd filter.
  • wasmtime dependency bumped to resolve CVE-2026-47261.
  • envoy.network.connection_balance.dlb (Intel DLB) contrib extension disabled at the Bazel build layer for all platforms due to source archive breakage; local workarounds are referenced in the release notes.
Source

Envoy

Networking & MessagingJun 23, 2026

Envoy v1.36.9 is a security-only release patching 15 CVEs (2 rated critical, the rest high or medium) across TLS SAN handling, HTTP/3, PROXY protocol, JSON parsing, OAuth2, ext_proc, grpc_stats, zstd, DNS, and statsd. Operators should upgrade immediately, as two of the vulnerabilities -- TLS SAN auth bypass and HTTP/3 request smuggling -- are unconditional or broadly exploitable.

  • securityCRITICAL: TLS SAN NUL-byte auth bypass (CVE-2026-47778 / GHSA-f8x4-rw5x-f3r7)

    A TLS SAN containing an embedded NUL byte causes the SAN to be truncated, bypassing certificate-based authentication checks. All deployments are affected. Upgrade to v1.36.9 immediately.

  • securityCRITICAL: HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743 / GHSA-8phg-2h2q-jgxf)

    A headers-only HTTP/3 request with a nonzero Content-Length can be smuggled into HTTP/1 backends, enabling request smuggling attacks. Affects any deployment proxying HTTP/3 to HTTP/1 backends.

  • securityHIGH: PROXY Protocol v2 upstream data spillover (CVE-2026-47692 / GHSA-wh36-hm39-mm3r)

    PROXY Protocol v2 header generation leaks up to 65 KB of attacker-controlled data into the upstream application stream via improperly emitted TLVs. Affects deployments using the PROXY Protocol v2 header generator.

  • securityHIGH: Stack overflow on deeply nested JSON (CVE-2026-48042 / GHSA-f24p-rxw2-g6pv)

    Deeply nested JSON input triggers a stack overflow in the object destructor, crashing the proxy. All deployments are affected.

  • securityHIGH: wasmtime dependency CVE (CVE-2026-47261)

    The wasmtime dependency was bumped to resolve CVE-2026-47261. All deployments using Wasm extensions are affected.

  • breakingDLB connection balancer extension disabled (capability removed)

    The contrib Intel DLB connection balancer extension (envoy.network.connection_balance.dlb) is now disabled at the Bazel layer for all platforms due to a source archive breakage. Builds that previously enabled this extension will lose it silently.

Key changes (8)
  • CRITICAL (2 CVEs): TLS SAN NUL-byte truncation enables auth bypass (CVE-2026-47778), and HTTP/3-to-HTTP/1 request smuggling via nonzero Content-Length on headers-only requests (CVE-2026-48743).
  • HIGH: PROXY Protocol v2 header generator emits skipped TLVs, allowing up to 65 KB of attacker-controlled data to spill into the upstream stream (CVE-2026-47692).
  • HIGH: Stack overflow in destructor on deeply nested JSON input affects all deployments (CVE-2026-48042).
  • HIGH: Multiple filter-specific crashes and security issues fixed -- ext_proc single-gRPC-message response (CVE-2026-47207), grpc_stats segfault on Connect-protocol requests to direct_response routes (CVE-2026-47204), authz per-route crash (CVE-2026-47205), router internal redirects crash (CVE-2026-47221).
  • HIGH: OAuth2 filter fixes two issues -- PKCE code verifier padding oracle (CVE-2026-47775) and use-after-free risk from late async token completion after stream teardown (CVE-2026-48090).
  • HIGH: zstd RLE zip-bomb decompression amplification (CVE-2026-48044), DNS UDP filter abnormal termination (CVE-2026-48497), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and TcpStatsdSink heap buffer overflow (CVE-2026-48706).
  • wasmtime dependency bumped to resolve CVE-2026-47261 (HIGH, unconditional).
  • The contrib envoy.network.connection_balance.dlb (Intel DLB) extension is disabled for all builds due to a source archive breakage.
Source

Envoy

Networking & MessagingJun 23, 2026

Envoy v1.35.13 is a major security release fixing 13 CVEs, two of them critical: a PROXY protocol v2 TLV spillover leaking up to 65KB into the upstream stream, and a TLS SAN NUL-truncation bug that can bypass certificate-based auth. It also disables the contrib Intel DLB connection balancer extension due to a build breakage.

  • securityPROXY Protocol v2 TLV spillover (CVE-2026-47692)

    Applies to all v1.35.13 deployments running PROXY protocol v2 header generation upstream. CVE-2026-47692 lets an attacker's "skipped" TLVs leak up to 65KB into the upstream application stream. Upgrade immediately if you use this feature.

  • securityTLS SAN NUL truncation enables auth bypass (CVE-2026-47778)

    Applies to deployments validating client certificates by SAN. CVE-2026-47778 lets an embedded NUL byte in a TLS SAN truncate the parsed name, allowing certificates to match unintended hostnames and bypass authentication. Upgrade immediately.

  • security11 more high-severity CVEs across core filters and HTTP/3

    Eleven additional high-severity CVEs are fixed across ext_proc, router internal redirects, OAuth2 (two separate issues: padding oracle and a use-after-free from late async token completion), zstd decompression, grpc_stats, JSON parsing, the DNS filter, HTTP/3 (content-length validation and a separate QPACK-based DoS), and TcpStatsdSync. Each is a crash, DoS, or memory-safety bug tied to a specific filter or codec; upgrade to pick up all fixes, or check which filters you run to prioritize.

  • securityWasmtime dependency bump fixes CVE-2026-47261

    A separate wasmtime CVE (CVE-2026-47261) is fixed by bumping the com_github_wasmtime dependency. Applies to deployments using the Wasm filter.

  • breakingIntel DLB connection balancer extension disabled

    The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) is disabled at the Bazel build layer for all builds and platforms due to a source archive breakage. Anyone building Envoy with this extension enabled needs an alternate connection balancer.

Key changes (7)
  • 13 CVEs fixed in this release, two rated critical: PROXY protocol v2 TLV spillover (CVE-2026-47692, up to 65KB leaked into the upstream stream) and TLS SAN NUL truncation enabling auth bypass (CVE-2026-47778).
  • High-severity fixes across core request handling: ext_proc single-message response handling (CVE-2026-47207), router internal redirect crash (CVE-2026-47221), grpc_stats segfault on Connect protocol to direct_response routes (CVE-2026-47204), and a stack overflow destroying deeply nested JSON (CVE-2026-48042).
  • Two separate OAuth2 filter fixes: a code verifier padding oracle (CVE-2026-47775) and a use-after-free from late async token completion after stream teardown (CVE-2026-48090).
  • HTTP/3 hardened against two issues: unvalidated content-length on headers-only requests/responses (CVE-2026-48743) and a QPACK blocked-decoding DoS.
  • Additional high-severity fixes: zstd RLE decompression zip bomb (CVE-2026-48044), DNS filter crash on long query names (CVE-2026-48497), and TcpStatsdSync buffer overflow on large stats names (CVE-2026-48706).
  • Upstream wasmtime dependency bumped to resolve CVE-2026-47261 in the Wasm filter.
  • The contrib envoy.network.connection_balance.dlb extension (Intel DLB) is disabled at the Bazel layer for all builds due to a source archive breakage.
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.38.2 is a small patch release: one RTDS runtime bug fix and two opt-in HTTP/2 cookie observability features. No security fixes.

  • breakingRTDS runtime guard fix changes delete behavior — verify your override logic

    If your config management deletes RTDS runtime guard overrides expecting them to revert to default, prior behavior was broken and left stale values. After upgrading to v1.38.2, deletes will now correctly restore defaults. Test any automation that removes runtime overrides to confirm it behaves as intended.

  • enhancementUse new HTTP/2 cookie size limit to guard against oversized headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag lets you cap the reassembled cookie header size in HTTP/2. If your deployment handles untrusted upstream or downstream traffic with large cookie headers, set an explicit limit to reduce memory pressure. The default is unlimited, so this is opt-in.

Key changes (3)
  • RTDS runtime fix: deleting a runtime guard override now correctly restores the default value instead of leaving stale state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length/count) via envoy.reloadable_features.http2_record_histograms — temporary, will be removed in a future release
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.37.4 is a small patch with one RTDS bug fix and two opt-in HTTP/2 cookie-related observability/safety features. No security CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard state

    If your deployments rely on RTDS to manage runtime guard overrides, the old behavior left stale override values after deletion. The fix now restores the process-wide default. Check that your expected default values are actually what you want after an override is removed, especially if you were working around the old broken behavior.

  • enhancementUse the new cookie size limit to protect against oversized cookie headers

    HTTP/2 reassembled cookie headers had no size cap before this release. If you proxy untrusted HTTP/2 clients, set envoy.reloadable_features.http2_max_cookies_size_in_kb to a reasonable limit (e.g., 32–64 KB) to prevent unexpectedly large cookie payloads from reaching upstreams. The default remains unlimited, so this requires an explicit opt-in.

  • enhancementEnable HTTP/2 header histograms in staging to baseline your traffic

    The new envoy.reloadable_features.http2_record_histograms flag adds histograms for header count, map byte size, and cookie metrics. These are useful for understanding HTTP/2 header pressure in your fleet. Enable in a non-production environment first — note these metrics will be removed in a future Envoy release, so don't build long-term dashboards around them.

Key changes (4)
  • RTDS bug fix: deleting a runtime guard override now correctly falls back to the process-wide default instead of leaving a stale value
  • New opt-in HTTP/2 header histograms (header count, byte size, cookie length/count) — enable via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
  • HTTP/2 header histograms are explicitly temporary — they will be removed in a future release
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.36.8 is a minor patch with one bug fix and two opt-in HTTP/2 observability features. No breaking changes or CVEs.

  • breakingHTTP/2 header histograms are temporary — don't build dashboards on them

    The new http2_record_histograms feature and its runtime guard are explicitly scheduled for removal in a future Envoy release. If you enable them for debugging HTTP/2 header issues, treat the resulting metrics as short-lived. Don't wire them into permanent dashboards or alerts that would break on upgrade.

  • enhancementEnable HTTP/2 header histograms if you're debugging large header or cookie payloads

    If you're seeing unexpectedly large HTTP/2 requests or cookie-related issues, flip envoy.reloadable_features.http2_record_histograms to get histograms on header entry count, byte size, and cookie metrics. Pair this with envoy.reloadable_features.http2_max_cookies_size_in_kb to enforce a hard cap on reassembled cookie header size — useful if you need to protect upstream services from oversized cookie headers.

Key changes (4)
  • RTDS runtime guard override deletion now correctly restores the process-wide default value instead of leaving it in a broken state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) enabled via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size; no limit enforced by default
  • HTTP/2 histograms and their runtime guard are explicitly temporary — they will be removed in a future release
Source

Envoy

Networking & MessagingJun 10, 2026

Envoy v1.35.12 is a minor patch with one runtime bug fix and two opt-in HTTP/2 cookie/header observability features. No breaking changes or CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard defaults

    If you rely on RTDS to manage runtime guard overrides, test this fix in staging. Previously, deleting an override left the old value active; now it resets to the process default. Any automation that deleted overrides expecting them to persist will behave differently.

  • enhancementUse the new HTTP/2 cookie size limit to guard against oversized cookie headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag is off by default. If your deployments accept untrusted HTTP/2 traffic, consider setting a reasonable limit to bound memory usage from reassembled cookie headers. Pair it with the new histograms to first measure your actual cookie sizes before choosing a cap.

Key changes (3)
  • Runtime bug fix: deleting an RTDS runtime guard override now correctly restores the process-wide default, instead of leaving the previous override in place.
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) via envoy.reloadable_features.http2_record_histograms — note these will be removed in a future release.
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb lets you cap the size of the reassembled cookie header; no limit is enforced by default.
Source

Envoy

Networking & MessagingJun 4, 2026

v1.38.1 is a security-focused patch addressing two HTTP/2 CVEs and two oauth2 vulnerabilities — upgrade immediately if running HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 and oauth2 CVEs now — don't wait for your next maintenance window

    Two HTTP/2 CVEs (cookie-bomb memory exhaustion via HPACK and nghttp2 CVE-2026-27135) plus two oauth2 bugs (timing oracle and a crash-as-auth-bypass) make this a must-apply patch. If you're running the oauth2 filter, the HMAC timing side-channel is particularly nasty — attackers could probe HMAC secret validity over time. Upgrade to v1.38.1 immediately. The new HTTP/2 header limit behavior is enabled by default; only revert with `envoy.reloadable_features.http2_include_cookies_in_limits` if you have a specific, documented reason.

  • breakingUpstream failure reason stripped from HTTP response bodies — check your client error handling

    Any downstream client or API consumer that parses or displays the upstream transport failure reason from the HTTP response body will now get nothing. The information is still in access logs. Audit your clients and dashboards before upgrading — if something depends on that response body content, you have a short window to either update the client or re-enable the old behavior with `envoy.reloadable_features.hide_transport_failure_reason_in_response_body`.

  • breakingEDS batch LB rebuild coalescing is now opt-in — test under high-churn service discovery

    Load balancer rebuild coalescing during EDS batch host updates is disabled by default. Environments with large EDS clusters and frequent host churn (e.g., Kubernetes rolling deployments with many pods) may see increased CPU from more frequent LB rebuilds. Benchmark your control-plane interaction patterns after upgrading. Re-enable the old behavior with `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update` if you observe performance regression.

Key changes (5)
  • CVE-2026-47774: HTTP/2 streams now reset on max header list size violations; uncompressed cookies count toward header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied — affects all HTTP/2 traffic
  • oauth2: timing side-channel in HMAC verification fixed, preventing secret validity leakage
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed on secret mismatch (~1/256 probability), triggering a HeaderString assert
  • Router no longer includes upstream transport failure reason in HTTP response body — only in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%
Source

Envoy

Networking & MessagingJun 4, 2026

v1.37.3 is a security-focused patch fixing two HTTP/2 CVEs and oauth2 vulnerabilities — upgrade immediately if you use HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 deployments now for CVE-2026-47774 and CVE-2026-27135

    Two HTTP/2 CVEs are fixed in this release. CVE-2026-47774 enables a cookie-bomb attack that causes excessive memory usage by sending large numbers of cookies that bypass header size limits before this fix. CVE-2026-27135 is an nghttp2-level vulnerability. If you terminate HTTP/2 traffic, upgrade to v1.37.3 immediately. The new cookie-counting behavior is enabled by default; if it causes regressions, you can temporarily disable it with the feature flag `envoy.reloadable_features.http2_include_cookies_in_limits`, but treat that as a short-term workaround only.

  • securityRotate oauth2 HMAC secrets after upgrading

    The timing side-channel in HMAC verification means a patient attacker could have probed whether a given secret was valid. After upgrading, rotate your oauth2 HMAC secrets as a precaution — especially in internet-facing deployments. The AES-CBC crash fix is also relevant: the previous 1/256 spurious decryption success could cause unpredictable auth behavior, not just crashes.

  • breakingCookie-heavy workloads may see HTTP/2 stream resets

    The CVE-2026-47774 fix changes how cookies are counted against `mutable_max_request_headers_kb` and `max_headers_count`. Clients sending many cookies that were previously accepted may now hit limits and receive stream resets. Test your high-cookie traffic patterns in staging before rolling this to production, and review your header size limits to ensure they are set appropriately for your workloads.

Key changes (5)
  • CVE-2026-47774: HTTP/2 streams now reset when they exceed max header list size; uncompressed cookies count toward header limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied directly to address upstream vulnerability
  • oauth2: timing side-channel in HMAC verification fixed — could previously leak whether an HMAC secret was valid
  • oauth2: AES-CBC decryption crash fixed — a 1/256 chance of spurious success on secret mismatch was tripping an internal assertion
  • load_report: shutdown race condition with ADS stream resolved via proper gRPC stream cleanup
Source

Envoy

Networking & MessagingJun 4, 2026

v1.36.7 is a security-focused patch addressing two CVEs in HTTP/2 and an HPACK cookie-bomb attack vector in the oauth2 filter, plus a crash fix. Upgrade immediately.

  • securityPatch HTTP/2 CVEs now — two CVEs affect any HTTP/2-exposed Envoy

    CVE-2026-47774 enables a cookie-bomb attack where crafted HPACK-compressed cookies inflate to exhaust Envoy memory. After patching, cookies count toward `mutable_max_request_headers_kb` and `max_headers_count`. If you see legitimate requests being reset post-upgrade, the escape hatch is the `envoy.reloadable_features.http2_include_cookies_in_limits` flag — but audit your header size limits first rather than disabling the protection. CVE-2026-27135 is an nghttp2-layer fix with no workaround; you must upgrade.

  • securityAudit oauth2 filter deployments for timing and decryption exposure

    Two oauth2 bugs fixed here are subtle but serious. The timing side-channel in HMAC verification could allow an attacker to probe secret validity over many requests. The AES-CBC crash (1/256 chance on bad tokens) is a reliability issue that could be triggered deliberately. If you use the oauth2 filter with token cookies, treat this as a high-priority upgrade — there's no configuration workaround for either issue.

  • breakingReview header size limits before deploying — cookie counting is a behavior change

    Cookies previously excluded from header size accounting now count toward limits. In practice, applications with many or large cookies may hit `max_headers_count` or `mutable_max_request_headers_kb` and get HTTP/2 stream resets where they didn't before. Before rolling out, check your current limit configurations against real traffic cookie sizes. If you need time, the reloadable feature flag lets you defer the behavior change, but don't leave it disabled long-term.

Key changes (5)
  • CVE-2026-47774: HTTP/2 streams are now reset when they exceed max header list size; uncompressed cookies now count against header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied directly to the HTTP/2 stack
  • oauth2: timing side-channel in HMAC verification closed — could have leaked whether an HMAC secret was valid
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed (~1/256 probability) on a secret mismatch, triggering a HeaderString assertion
  • load_report: shutdown race condition with ADS stream resolved via proper gRPC stream cleanup
Source

Envoy

Networking & MessagingApr 23, 2026

Envoy v1.38 is a massive release with several breaking changes requiring immediate action — RSA key usage enforcement, BoringSSL build flag changes, and tcp_proxy config validation are the top priorities before upgrading.

  • securityPatch CVE-2026-27135 by upgrading to v1.38

    This release includes the nghttp2 patch for CVE-2026-27135, which affects HTTP/2 header field handling. If you're running Envoy as an HTTP/2 gateway or proxy, this is a direct exposure. Prioritize upgrading clusters that terminate or proxy HTTP/2 traffic. RBAC header matcher also received a fix preventing concatenation-based bypass attacks — another reason to treat this upgrade as security-relevant.

  • breakingAudit TLS configs before upgrading — RSA key usage now enforced

    enforce_rsa_key_usage defaults to true starting this release and will be removed entirely next release, making it permanent. Any upstream TLS connection where the certificate's key usage doesn't match the negotiated cipher will be rejected. Before upgrading, audit your upstream certificate configurations. Test in staging first — silent failures in prod will be connection resets, not helpful error messages.

  • breakingUpdate BoringSSL FIPS build pipelines before building v1.38

    The --define=boringssl=fips Bazel flag is gone. CI/CD pipelines or Dockerfiles that build Envoy with FIPS mode will fail silently or error out. Replace with --config=boringssl-fips. If you're consuming official binaries rather than building from source, this doesn't affect you directly, but verify your supply-chain tooling if you maintain custom builds.

  • enhancementOpenTelemetry metrics over HTTP — drop the collector sidecar

    The OTel stat sink can now push metrics directly via OTLP/HTTP without requiring a collector sidecar. If you're running otel-collector as a DaemonSet purely for Envoy metrics forwarding, you can simplify that architecture. Evaluate whether direct OTLP/HTTP export to your backend (Grafana Cloud, Honeycomb, etc.) reduces operational overhead in your environment.

Key changes (6)
  • enforce_rsa_key_usage now defaults to true on upstream TLS contexts — connections using mismatched RSA key usage will fail
  • BoringSSL FIPS build flag changed from --define=boringssl=fips to --config=boringssl-fips, breaking existing build pipelines
  • tcp_proxy requires explicit max_early_data_bytes for non-IMMEDIATE upstream_connect_mode, failing validation at startup if missing
  • CVE-2026-27135 patched in nghttp2 HTTP/2 header handling
  • OAuth2 token encryption is now on by default; opt-out requires explicit disable_token_encryption flag
  • Dynamic modules gain significant new extension points including tracers, TLS validators, and custom LB policies with ABI forward-compatibility to v1.39
Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.37.2 is a patch release fixing three runtime bugs: a crash on listener removal, incomplete body forwarding in dynamic module filters, and a request hang on buffer overflow during internal redirects.

  • breakingUpgrade immediately if using process-level access log rate limiting

    If your Envoy config uses a process-level access log rate limiter and you perform any listener hot-reload or removal, you are hitting a crash path. This is not a low-probability edge case — listener removal happens during routine config updates via xDS. Upgrade to v1.37.2 before your next config push.

  • breakingCheck dynamic module filter pipelines for body truncation

    If you run dynamic module filters alongside other filters that buffer request or response bodies (e.g., ext_proc, gRPC transcoding, JWT body inspection), you may have been forwarding truncated payloads upstream or to clients without any error. Audit logs for unexpected body size mismatches and validate behavior in staging after upgrading.

  • breakingInternal redirect with large request bodies could hang — patch this now

    Any route config using internal redirects combined with upstream services that can trigger redirects on large POST/PUT bodies is a hang risk. The request stalls rather than returning an error, which means your upstream timeout is the only safety net. This is a silent reliability failure. Upgrade and consider temporarily tightening request buffer limits on affected routes as a short-term guard.

Key changes (5)
  • Crash fix: listener removal with a process-level access log rate limiter no longer causes a process crash
  • Dynamic module filters now correctly forward complete request/response bodies when adjacent filters perform buffering
  • Internal redirect buffer overflow no longer hangs the request indefinitely
  • Docker release images updated and corrected
  • Stats subsystem updates included
Source

Envoy

Networking & MessagingApr 10, 2026

Envoy v1.36.6 is a patch release fixing two bugs: incomplete body delivery in dynamic module filters and a request hang when internal redirect triggers buffer overflow.

  • breakingUpgrade if you use dynamic module filters with buffering neighbors

    If your filter chain mixes dynamic module filters with any filter that buffers the body (e.g., ext_proc, grpc-web, or custom buffering filters), you were silently receiving incomplete bodies. This is a data-correctness bug, not just a performance issue. Upgrade to v1.36.6 immediately and validate that your dynamic modules are processing full payloads post-upgrade.

  • breakingInternal redirect + buffer overflow caused indefinite request hang

    Any deployment using internal redirects where the request body can exceed the configured buffer limit was exposed to hung requests — requests that never complete and hold connections open. This is particularly dangerous under load. Upgrade now; in the interim, consider raising buffer limits or disabling internal redirects if you're seeing stuck requests.

Key changes (3)
  • Dynamic module filters could pass truncated request/response bodies when neighboring filters buffered data — now fixed
  • Internal redirect with an overflowing request buffer could hang the request indefinitely — now resolved
  • Docker release images updated and corrected
Source