Envoy v1.38.3 is a security-only release patching 15 CVEs plus one upstream wasmtime CVE. Two issues are rated critical: a TLS SAN NUL-byte auth bypass (CVE-2026-47778) and HTTP/3-to-HTTP/1 request smuggling (CVE-2026-48743); the remaining 13 are rated high, covering crashes, a zip-bomb DoS, a PKCE padding oracle, a 65 KB upstream data spillover, and a heap buffer overflow.
securityCRITICAL: TLS SAN NUL-byte auth bypass (CVE-2026-47778)
CVE-2026-47778 (GHSA-f8x4-rw5x-f3r7): a NUL byte embedded in a TLS SAN causes truncation during comparison, allowing an attacker to bypass certificate-based authentication. Upgrade to v1.38.3 unconditionally.
securityCRITICAL: HTTP/3 to HTTP/1 request smuggling (CVE-2026-48743)
CVE-2026-48743 (GHSA-8phg-2h2q-jgxf): a headers-only HTTP/3 request carrying a nonzero Content-Length can be smuggled into a downstream HTTP/1 backend. Any deployment proxying HTTP/3 to HTTP/1 is affected. Upgrade to v1.38.3.
securityHIGH: PROXY Protocol v2 upstream data spillover (CVE-2026-47692)
CVE-2026-47692 (GHSA-wh36-hm39-mm3r): the PROXY Protocol v2 header generator leaks "skipped" TLVs, spilling up to 65 KB of attacker-controlled data into the upstream application stream. Upgrade to v1.38.3.
breakingIntel DLB connection balancer extension removed
The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) has been disabled at the Bazel build layer in v1.38.3 due to a broken source archive. Any deployment that relied on this extension must migrate to an alternative connection balancer.
breakingTLS certificate Brotli compression now disabled by default
The runtime guard envoy.reloadable_features.tls_certificate_compression_brotli is now disabled by default. When off, QUIC uses zlib-only certificate compression and TCP TLS performs no certificate compression. If you depended on Brotli compression for TLS certificates, re-enable this flag explicitly after upgrading.
主な変更 (8)
- CRITICAL: TLS SAN NUL-byte truncation enables certificate auth bypass (CVE-2026-47778, max severity across all 15 CVEs)
- CRITICAL: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length (CVE-2026-48743)
- HIGH: PROXY Protocol v2 leaks up to 65 KB of attacker-controlled data into upstream stream (CVE-2026-47692); OAuth2 PKCE padding oracle (CVE-2026-47775) and UAF/crash on async token completion after stream teardown (CVE-2026-48090)
- HIGH: Crashes fixed in authz per-route (CVE-2026-47205), router internal redirects (CVE-2026-47221), REQUESTED_SERVER_NAME (CVE-2026-47220), grpc_stats filter on Connect-to-direct_response (CVE-2026-47204), and ext_proc single-gRPC-message response (CVE-2026-47207)
- HIGH: zstd RLE zip bomb DoS (CVE-2026-48044), JSON deeply-nested destructor stack overflow (CVE-2026-48042), DNS UDP filter abnormal termination (CVE-2026-48497), TcpStatsdSink heap buffer overflow (CVE-2026-48706), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch)
- wasmtime dependency bumped to resolve CVE-2026-47261 (medium severity)
- Intel DLB contrib extension (envoy.network.connection_balance.dlb) disabled in all builds due to broken source archive
- Runtime guard envoy.reloadable_features.tls_certificate_compression_brotli flipped to disabled by default; TCP TLS will no longer compress certificates and QUIC reverts to zlib-only