RATATOSKRATATOSK
ログイン

Envoy

v1.36.9Networking & Messaging
2026年6月24日

Envoy v1.36.9 is a security-only release patching 15 CVEs (2 rated critical, the rest high or medium) across TLS SAN handling, HTTP/3, PROXY protocol, JSON parsing, OAuth2, ext_proc, grpc_stats, zstd, DNS, and statsd. Operators should upgrade immediately, as two of the vulnerabilities -- TLS SAN auth bypass and HTTP/3 request smuggling -- are unconditional or broadly exploitable.

  • securityCRITICAL: TLS SAN NUL-byte auth bypass (CVE-2026-47778 / GHSA-f8x4-rw5x-f3r7)

    A TLS SAN containing an embedded NUL byte causes the SAN to be truncated, bypassing certificate-based authentication checks. All deployments are affected. Upgrade to v1.36.9 immediately.

  • securityCRITICAL: HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743 / GHSA-8phg-2h2q-jgxf)

    A headers-only HTTP/3 request with a nonzero Content-Length can be smuggled into HTTP/1 backends, enabling request smuggling attacks. Affects any deployment proxying HTTP/3 to HTTP/1 backends.

  • securityHIGH: PROXY Protocol v2 upstream data spillover (CVE-2026-47692 / GHSA-wh36-hm39-mm3r)

    PROXY Protocol v2 header generation leaks up to 65 KB of attacker-controlled data into the upstream application stream via improperly emitted TLVs. Affects deployments using the PROXY Protocol v2 header generator.

  • securityHIGH: Stack overflow on deeply nested JSON (CVE-2026-48042 / GHSA-f24p-rxw2-g6pv)

    Deeply nested JSON input triggers a stack overflow in the object destructor, crashing the proxy. All deployments are affected.

  • securityHIGH: wasmtime dependency CVE (CVE-2026-47261)

    The wasmtime dependency was bumped to resolve CVE-2026-47261. All deployments using Wasm extensions are affected.

  • breakingDLB connection balancer extension disabled (capability removed)

    The contrib Intel DLB connection balancer extension (envoy.network.connection_balance.dlb) is now disabled at the Bazel layer for all platforms due to a source archive breakage. Builds that previously enabled this extension will lose it silently.

主な変更 (8)

  • CRITICAL (2 CVEs): TLS SAN NUL-byte truncation enables auth bypass (CVE-2026-47778), and HTTP/3-to-HTTP/1 request smuggling via nonzero Content-Length on headers-only requests (CVE-2026-48743).
  • HIGH: PROXY Protocol v2 header generator emits skipped TLVs, allowing up to 65 KB of attacker-controlled data to spill into the upstream stream (CVE-2026-47692).
  • HIGH: Stack overflow in destructor on deeply nested JSON input affects all deployments (CVE-2026-48042).
  • HIGH: Multiple filter-specific crashes and security issues fixed -- ext_proc single-gRPC-message response (CVE-2026-47207), grpc_stats segfault on Connect-protocol requests to direct_response routes (CVE-2026-47204), authz per-route crash (CVE-2026-47205), router internal redirects crash (CVE-2026-47221).
  • HIGH: OAuth2 filter fixes two issues -- PKCE code verifier padding oracle (CVE-2026-47775) and use-after-free risk from late async token completion after stream teardown (CVE-2026-48090).
  • HIGH: zstd RLE zip-bomb decompression amplification (CVE-2026-48044), DNS UDP filter abnormal termination (CVE-2026-48497), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and TcpStatsdSink heap buffer overflow (CVE-2026-48706).
  • wasmtime dependency bumped to resolve CVE-2026-47261 (HIGH, unconditional).
  • The contrib envoy.network.connection_balance.dlb (Intel DLB) extension is disabled for all builds due to a source archive breakage.