Announcing Istio 1.26.8

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.26.7 and 1.26.8.

{{< relnote >}}

Security Update

• CVE-2025-62408 (CVSS score 5.3, Moderate): Use after free can crash Envoy due to malfunctioning or compromised DNS. This is a heap use-after-free vulnerability in the c-ares library that can be exploited by an attacker controlling the local DNS infrastructure to cause a Denial of Service (DoS) in Envoy.

Changes

• Fixed an issue where HTTPS servers processed first prevented HTTP servers from creating routes on the same port with different bind addresses. (Issue #57706)