security14 Envoy CVEs fixed (max severity HIGH) — ISTIO-SECURITY-2026-005
All 14 Envoy CVEs under ISTIO-SECURITY-2026-005 are fixed in 1.29.5. The highest-severity issues include an HTTP/3 QPACK decoding DoS (GHSA-p7C7-7c47-pwch), a compressed-payload inflation bypass of MaxInflateRatio (CVE-2026-48044), a %REQUESTED_SERVER_NAME% formatter crash (CVE-2026-47220), a QUIC content-length validation issue guarded by envoy.reloadable_features.quic_validate_headers_only_content_length (CVE-2026-48743), and a PROXY protocol TLV length mismatch (CVE-2026-47692). Upgrade all 1.29.x deployments to 1.29.5.
securityOAuth2 filter padding oracle in AES-256-CBC cookie decryption (CVE-2026-47775)
Operators using the OAuth2 filter with AES-256-CBC cookie encryption should upgrade immediately. The filter now supports AES-256-GCM with a gcm. algorithm marker; plan migration away from AES-256-CBC after upgrading.
securityext_authz use-after-free with per-route service overrides (CVE-2026-47205)
Clusters using ext_authz with per-route service overrides are exposed to a use-after-free crash when a downstream connection resets during an in-flight authorization check (CVE-2026-47205). Upgrade to 1.29.5 to eliminate the crash window.
breakingJSON nesting depth limit reduced to 1000 (CVE-2026-48042)
JSON parser nesting depth is now capped at 1000 by default (down from 10000). If any Envoy configuration relies on deeper nesting, the old limit can be restored temporarily by setting the runtime flag envoy.reloadable_features.limit_json_parser_nesting_depth to false, but plan to eliminate deep nesting.