securityPROXY Protocol v2 TLV spillover (CVE-2026-47692)
Applies to all v1.35.13 deployments running PROXY protocol v2 header generation upstream. CVE-2026-47692 lets an attacker's "skipped" TLVs leak up to 65KB into the upstream application stream. Upgrade immediately if you use this feature.
securityTLS SAN NUL truncation enables auth bypass (CVE-2026-47778)
Applies to deployments validating client certificates by SAN. CVE-2026-47778 lets an embedded NUL byte in a TLS SAN truncate the parsed name, allowing certificates to match unintended hostnames and bypass authentication. Upgrade immediately.
security11 more high-severity CVEs across core filters and HTTP/3
Eleven additional high-severity CVEs are fixed across ext_proc, router internal redirects, OAuth2 (two separate issues: padding oracle and a use-after-free from late async token completion), zstd decompression, grpc_stats, JSON parsing, the DNS filter, HTTP/3 (content-length validation and a separate QPACK-based DoS), and TcpStatsdSync. Each is a crash, DoS, or memory-safety bug tied to a specific filter or codec; upgrade to pick up all fixes, or check which filters you run to prioritize.
securityWasmtime dependency bump fixes CVE-2026-47261
A separate wasmtime CVE (CVE-2026-47261) is fixed by bumping the com_github_wasmtime dependency. Applies to deployments using the Wasm filter.
breakingIntel DLB connection balancer extension disabled
The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) is disabled at the Bazel build layer for all builds and platforms due to a source archive breakage. Anyone building Envoy with this extension enabled needs an alternate connection balancer.