ContextQMD
Back to Envoy

Summary

changelogs/summary.md

1.38.33.0 KB
Original Source

Summary of changes:

  • Security fixes:

    • CVE-2026-47205: Authz per route crash
    • CVE-2026-47207: ext_proc response in one gRPC message
    • CVE-2026-47221: router internal redirects crash
    • CVE-2026-47220: REQUESTED_SERVER_NAME crash
    • CVE-2026-47775: OAuth2 code verifier padding oracle
    • CVE-2026-48044: zstd RLE zip bomb
    • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
    • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
    • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
    • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
    • CVE-2026-48497: Abnormal process termination in DNS UDP filter
    • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
    • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
    • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

  • Upstream security fixes:

    • CVE-2026-47261: wasm: bumped com_github_wasmtime to resolve CVE-2026-47261.

  • Behavior changes:

    • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See https://github.com/envoyproxy/envoy/issues/45491 for local workarounds.

  • Minor behavior changes:

    • tls: runtime guard envoy.reloadable_features.tls_certificate_compression_brotli is now disabled by default. When disabled, QUIC retains zlib-only certificate compression and TCP TLS performs no certificate compression. It can be re-enabled by setting the runtime guard to true.