v1.38.3

Summary of changes:

• Security fixes:

  • CVE-2026-47205: Authz per route crash
  • CVE-2026-47207: ext_proc response in one gRPC message
  • CVE-2026-47221: router internal redirects crash
  • CVE-2026-47220: REQUESTED_SERVER_NAME crash
  • CVE-2026-47775: OAuth2 code verifier padding oracle
  • CVE-2026-48044: zstd RLE zip bomb
  • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
  • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
  • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
  • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
  • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
  • CVE-2026-48497: Abnormal process termination in DNS UDP filter
  • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
  • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
  • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

• Upstream security fixes:

  • CVE-2026-47261: wasm: bumped com_github_wasmtime to resolve CVE-2026-47261.

• Behavior changes:

  • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.

• Minor behavior changes:

  • tls: runtime guard envoy.reloadable_features.tls_certificate_compression_brotli is now disabled by default. When disabled, QUIC retains zlib-only certificate compression and TCP TLS performs no certificate compression. It can be re-enabled by setting the runtime guard to true.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.38.3
Docs:
https://www.envoyproxy.io/docs/envoy/v1.38.3/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.38.3/version_history/v1.38/v1.38.3
Full changelog:
v1.38.2...v1.38.3

Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com

v1.37.5

Summary of changes:

• Security fixes:

  • CVE-2026-47205:Authz per route crash
  • CVE-2026-47207: ext_proc response in one gRPC message
  • CVE-2026-47221: router internal redirects crash
  • CVE-2026-47220: REQUESTED_SERVER_NAME crash
  • CVE-2026-47775: OAuth2 code verifier padding oracle
  • CVE-2026-48044: zstd RLE zip bomb
  • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
  • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
  • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
  • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
  • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
  • CVE-2026-48497: Abnormal process termination in DNS UDP filter
  • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
  • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
  • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

• Upstream security fixes:

  • CVE-2026-47261: wasm: bumped com_github_wasmtime to resolve CVE-2026-47261.

• Behavior changes:

  • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.5
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.5/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.5/version_history/v1.37/v1.37.5
Full changelog:
v1.37.4...v1.37.5

Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com

v1.36.9

Summary of changes:

• Upstream security fixes:

  • CVE-2026-47205:Authz per route crash
  • CVE-2026-47207: ext_proc response in one gRPC message
  • CVE-2026-47221: router internal redirects crash
  • CVE-2026-47775: OAuth2 code verifier padding oracle
  • CVE-2026-48044: zstd RLE zip bomb
  • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
  • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
  • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
  • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
  • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
  • CVE-2026-48497: Abnormal process termination in DNS UDP filter
  • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
  • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
  • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

• Upstream security fixes:

  • CVE-2026-47261: wasm: bumped com_github_wasmtime to resolve CVE-2026-47261.

• Behavior changes:

  • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.9/version_history/v1.36/v1.36.9
Full changelog:
v1.36.8...v1.36.9

Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com

v1.35.13

Summary of changes:

• Security fixes:

  • CVE-2026-47207: ext_proc response in one gRPC message
  • CVE-2026-47221: router internal redirects crash
  • CVE-2026-47775: OAuth2 code verifier padding oracle
  • CVE-2026-48044: zstd RLE zip bomb
  • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
  • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled
    spillover into the upstream application stream
  • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
  • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
  • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
  • CVE-2026-48497: DNS filter abnormal process termination on long query name
  • CVE-2026-48743: HTTP/3 headers-only request/response content-length not validated
  • CVE-2026-48706: TcpStatsdSync buffer overflow with large stats name
  • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

• Upstream security fixes:

  • CVE-2026-47261: wasm: bumped com_github_wasmtime to resolve CVE-2026-47261.

• Behavior changes:

  • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.13
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.13/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.13/version_history/v1.35/v1.35.13
Full changelog:
v1.35.12...v1.35.13

Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com

v1.38.2

Summary of changes:

• Bug fixes:

  • runtime: fixed RTDS runtime guard override removal so deleting an override restores the process-wide runtime guard value to the default value.

• New features:

  • http2: added opt-in histograms for HTTP/2 header statistics, including header-entry count, header-map byte size, reassembled cookie header length, and individual cookie header count. Enable with envoy.reloadable_features.http2_record_histograms; the histograms and runtime guard will be removed in a future Envoy release.
  • http2: added envoy.reloadable_features.http2_max_cookies_size_in_kb to limit the size of the reassembled cookie header. By default, no cookie-size limit is enforced.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.38.2
Docs:
https://www.envoyproxy.io/docs/envoy/v1.38.2/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.38.2/version_history/v1.38/v1.38.2
Full changelog:
v1.38.1...v1.38.2

Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com

v1.37.4

Summary of changes:

• Bug fixes:

  • runtime: fixed RTDS runtime guard override removal so deleting an override restores the process-wide runtime guard value to the default value.

• New features:

  • http2: added opt-in histograms for HTTP/2 header statistics, including header-entry count, header-map byte size, reassembled cookie header length, and individual cookie header count. Enable with envoy.reloadable_features.http2_record_histograms; the histograms and runtime guard will be removed in a future Envoy release.
  • http2: added envoy.reloadable_features.http2_max_cookies_size_in_kb to limit the size of the reassembled cookie header. By default, no cookie-size limit is enforced.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.4
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.4/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.4/version_history/v1.37/v1.37.4
Full changelog:
v1.37.3...v1.37.4

Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com

v1.36.8

Summary of changes:

• Bug fixes:

  • runtime: fixed RTDS runtime guard override removal so deleting an override restores the process-wide runtime guard value to the default value.

• New features:

  • http2: added opt-in histograms for HTTP/2 header statistics, including header-entry count, header-map byte size, reassembled cookie header length, and individual cookie header count. Enable with envoy.reloadable_features.http2_record_histograms; the histograms and runtime guard will be removed in a future Envoy release.
  • http2: added envoy.reloadable_features.http2_max_cookies_size_in_kb to limit the size of the reassembled cookie header. By default, no cookie-size limit is enforced.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.8
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.8/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.8/version_history/v1.36/v1.36.8
Full changelog:
v1.36.7...v1.36.8

Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com

v1.35.12

Summary of changes:

• Bug fixes:

  • runtime: fixed RTDS runtime guard override removal so deleting an override restores the process-wide runtime guard value to the default value.

• New features:

  • http2: added opt-in histograms for HTTP/2 header statistics, including header-entry count, header-map byte size, reassembled cookie header length, and individual cookie header count. Enable with envoy.reloadable_features.http2_record_histograms; the histograms and runtime guard will be removed in a future Envoy release.
  • http2: added envoy.reloadable_features.http2_max_cookies_size_in_kb to limit the size of the reassembled cookie header. By default, no cookie-size limit is enforced.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.12
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.12/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.12/version_history/v1.35/v1.35.12
Full changelog:
v1.35.11...v1.35.12

Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Kateryna Nezdolii kateryna.nezdolii@gmail.com

v1.38.1

Summary of changes:

• Security fixes:

  • CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards mutable_max_request_headers_kb and max_headers_count limits, protecting against an HPACK cookie-bomb that could cause excessive memory usage. This can be reverted with envoy.reloadable_features.http2_include_cookies_in_limits.
  • oauth2: fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a HeaderString validation assert.
  • CVE-2026-27135: http2: applied nghttp2 CVE-2026-27135 patch.

• Bug fixes:

  • dynamic_modules: fixed a crash in the HTTP filter when a stream was already above the downstream write-buffer high watermark at filter-chain construction time.

• Minor behavior changes:

  • router: the upstream transport failure reason is no longer included in the HTTP response body sent to downstream clients (still available in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%). Revert with envoy.reloadable_features.hide_transport_failure_reason_in_response_body.
  • upstream: load balancer rebuild coalescing during EDS batch host updates is now opt-in. Re-enable with envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.38.1
Docs:
https://www.envoyproxy.io/docs/envoy/v1.38.1/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.38.1/version_history/v1.38/v1.38.1
Full changelog:
v1.38.0...v1.38.1

Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Ryan Northey ryan@synca.io

v1.37.3

Summary of changes:

• Security fixes:

  • CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards mutable_max_request_headers_kb and max_headers_count limits, protecting against an HPACK cookie-bomb that could cause excessive memory usage. This can be reverted with envoy.reloadable_features.http2_include_cookies_in_limits.
  • oauth2: fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a HeaderString validation assert.
  • CVE-2026-27135: http2: applied nghttp2 CVE-2026-27135 patch.

• Bug fixes:

  • load_report: fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.3
Docs:
https://www.envoyproxy.io/docs/envoy/v1.37.3/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.37.3/version_history/v1.37/v1.37.3
Full changelog:
v1.37.2...v1.37.3

Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Ryan Northey ryan@synca.io