RATATOSKRATATOSK
ログイン

Envoy

v1.37.5Networking & Messaging
2026年6月24日

Envoy v1.37.5 is a security-only release fixing 15 Envoy CVEs/GHSAs and one upstream dependency CVE, with severities reaching critical. Three critical issues stand out: HTTP/3-to-HTTP/1 request smuggling, TLS SAN auth bypass via embedded NUL bytes, and a PROXY Protocol v2 spillover that puts attacker-controlled data into upstream streams. All v1.37.x deployments should upgrade without delay.

  • securityCritical: HTTP/3 to HTTP/1 request smuggling (CVE-2026-48743)

    CVE-2026-48743 (GHSA-8phg-2h2q-jgxf): HTTP/3 requests with headers-only and a nonzero Content-Length can smuggle requests into HTTP/1 upstream connections. Applies to any deployment terminating HTTP/3 and proxying to HTTP/1 backends. Upgrade immediately.

  • securityCritical: TLS SAN NUL-byte auth bypass (CVE-2026-47778)

    CVE-2026-47778 (GHSA-f8x4-rw5x-f3r7): A TLS SAN containing an embedded NUL byte is truncated at that byte during comparison, allowing a certificate to match patterns it should not. Any deployment making auth decisions based on TLS SAN validation is affected. Upgrade immediately.

  • securityCritical: PROXY Protocol v2 TLV spillover into upstream stream (CVE-2026-47692)

    CVE-2026-47692 (GHSA-wh36-hm39-mm3r): The PROXY Protocol v2 header generator emits TLVs that were supposed to be skipped, spilling up to 65 KB of attacker-controlled data into the upstream application stream. Affects deployments that generate PROXY Protocol v2 headers toward upstreams. Upgrade immediately.

  • securityHigh: Two OAuth2 filter vulnerabilities (padding oracle + UAF)

    CVE-2026-47775 and CVE-2026-48090 (GHSA-396h-jpq4-vc7p, GHSA-3cj2-c63f-q26f): The OAuth2 filter has a PKCE code-verifier padding oracle and a use-after-free risk when an async token fetch completes after stream teardown. Both affect deployments using envoy.filters.http.oauth2.

  • securityHigh: HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch)

    HTTP/3 QPACK blocked decoding (GHSA-p7c7-7c47-pwch) can be exploited to cause a DoS against the HTTP/3 stack. Affects any deployment serving HTTP/3.

  • securityHigh: grpc_stats filter segfault on Connect protocol (CVE-2026-47204)

    CVE-2026-47204 (GHSA-3jxh-8p6x-7pf6): The grpc_stats filter segfaults on Connect-protocol requests routed to direct_response routes. Affects deployments using envoy.filters.http.grpc_stats.

  • breakingIntel DLB connection balancer contrib extension disabled at build time

    The envoy.network.connection_balance.dlb contrib extension (Intel DLB connection balancer) has been disabled at the Bazel build layer across all platforms due to a source archive breakage. Deployments relying on this extension must pursue a local workaround or alternative balancing strategy until the source issue is resolved.

主な変更 (5)

  • Three critical CVEs fixed: HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743), TLS SAN NUL-byte auth bypass (CVE-2026-47778), and PROXY Protocol v2 65 KB upstream stream spillover (CVE-2026-47692).
  • Nine additional high-severity CVEs fixed, covering OAuth2 padding oracle and UAF (CVE-2026-47775, CVE-2026-48090), HTTP/3 QPACK DoS (GHSA-p7c7-7c47-pwch), grpc_stats segfault (CVE-2026-47204), DNS UDP filter abnormal termination (CVE-2026-48497), TcpStatsdSink heap buffer overflow (CVE-2026-48706), deep JSON nesting stack overflow (CVE-2026-48042), router internal redirects crash (CVE-2026-47221), REQUESTED_SERVER_NAME crash (CVE-2026-47220), ext_proc gRPC response crash (CVE-2026-47207), and authz per-route crash (CVE-2026-47205).
  • zstd decompression RLE zip-bomb DoS (CVE-2026-48044, high) fixed; affects deployments using the zstd filter.
  • wasmtime dependency bumped to resolve CVE-2026-47261.
  • envoy.network.connection_balance.dlb (Intel DLB) contrib extension disabled at the Bazel build layer for all platforms due to source archive breakage; local workarounds are referenced in the release notes.