Envoy
v1.35.13Networking & MessagingEnvoy v1.35.13 is a major security release fixing 13 CVEs, two of them critical: a PROXY protocol v2 TLV spillover leaking up to 65KB into the upstream stream, and a TLS SAN NUL-truncation bug that can bypass certificate-based auth. It also disables the contrib Intel DLB connection balancer extension due to a build breakage.
securityPROXY Protocol v2 TLV spillover (CVE-2026-47692)
Applies to all v1.35.13 deployments running PROXY protocol v2 header generation upstream. CVE-2026-47692 lets an attacker's "skipped" TLVs leak up to 65KB into the upstream application stream. Upgrade immediately if you use this feature.
securityTLS SAN NUL truncation enables auth bypass (CVE-2026-47778)
Applies to deployments validating client certificates by SAN. CVE-2026-47778 lets an embedded NUL byte in a TLS SAN truncate the parsed name, allowing certificates to match unintended hostnames and bypass authentication. Upgrade immediately.
security11 more high-severity CVEs across core filters and HTTP/3
Eleven additional high-severity CVEs are fixed across ext_proc, router internal redirects, OAuth2 (two separate issues: padding oracle and a use-after-free from late async token completion), zstd decompression, grpc_stats, JSON parsing, the DNS filter, HTTP/3 (content-length validation and a separate QPACK-based DoS), and TcpStatsdSync. Each is a crash, DoS, or memory-safety bug tied to a specific filter or codec; upgrade to pick up all fixes, or check which filters you run to prioritize.
securityWasmtime dependency bump fixes CVE-2026-47261
A separate wasmtime CVE (CVE-2026-47261) is fixed by bumping the com_github_wasmtime dependency. Applies to deployments using the Wasm filter.
breakingIntel DLB connection balancer extension disabled
The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) is disabled at the Bazel build layer for all builds and platforms due to a source archive breakage. Anyone building Envoy with this extension enabled needs an alternate connection balancer.
主な変更 (7)
- 13 CVEs fixed in this release, two rated critical: PROXY protocol v2 TLV spillover (CVE-2026-47692, up to 65KB leaked into the upstream stream) and TLS SAN NUL truncation enabling auth bypass (CVE-2026-47778).
- High-severity fixes across core request handling: ext_proc single-message response handling (CVE-2026-47207), router internal redirect crash (CVE-2026-47221), grpc_stats segfault on Connect protocol to direct_response routes (CVE-2026-47204), and a stack overflow destroying deeply nested JSON (CVE-2026-48042).
- Two separate OAuth2 filter fixes: a code verifier padding oracle (CVE-2026-47775) and a use-after-free from late async token completion after stream teardown (CVE-2026-48090).
- HTTP/3 hardened against two issues: unvalidated content-length on headers-only requests/responses (CVE-2026-48743) and a QPACK blocked-decoding DoS.
- Additional high-severity fixes: zstd RLE decompression zip bomb (CVE-2026-48044), DNS filter crash on long query names (CVE-2026-48497), and TcpStatsdSync buffer overflow on large stats names (CVE-2026-48706).
- Upstream wasmtime dependency bumped to resolve CVE-2026-47261 in the Wasm filter.
- The contrib envoy.network.connection_balance.dlb extension (Intel DLB) is disabled at the Bazel layer for all builds due to a source archive breakage.