v1.35.13
Breaking Changes📦 envoyView on GitHub →
⚠ 1 breaking🐛 14 fixes🔧 11 symbols
Summary
This release primarily focuses on addressing numerous critical security vulnerabilities across various components, including HTTP/3, OAuth2, and various filters. Additionally, the Intel DLB connection balancer extension has been disabled due to upstream issues.
⚠️ Breaking Changes
- The contrib extension `envoy.network.connection_balance.dlb` (Intel DLB connection balancer) has been disabled at the Bazel layer for all builds and platforms due to a source archive breakage. Users relying on this extension must use local workarounds mentioned in https://github.com/envoyproxy/envoy/issues/45491.
Migration Steps
- If you were using the `envoy.network.connection_balance.dlb` extension, consult https://github.com/envoyproxy/envoy/issues/45491 for local workarounds, as this extension is disabled by default in this release.
🐛 Bug Fixes
- Fixed issue related to ext_proc response in one gRPC message ([CVE-2026-47207]).
- Fixed router internal redirects crash ([CVE-2026-47221]).
- Fixed OAuth2 code verifier padding oracle vulnerability ([CVE-2026-47775]).
- Fixed zstd RLE zip bomb vulnerability ([CVE-2026-48044]).
- Fixed grpc_stats filter segfault on Connect protocol requests to direct_response routes ([CVE-2026-47204]).
- Fixed PROXY Protocol v2 header generator emitting "skipped" TLVs causing 65 KB attacker-controlled spillover into the upstream application stream ([CVE-2026-47692]).
- Fixed Embedded NUL in TLS SAN Truncation leading to Auth Bypass ([CVE-2026-47778]).
- Fixed stack overflow in destructor of highly nested JSON ([CVE-2026-48042]).
- Fixed OAuth2 filter late async token completion after stream teardown which risked UAF/crash ([CVE-2026-48090]).
- Fixed DNS filter abnormal process termination on long query name ([CVE-2026-48497]).
- Fixed HTTP/3 headers-only request/response content-length validation ([CVE-2026-48743]).
- Fixed TcpStatsdSync buffer overflow when using large stats names ([CVE-2026-48706]).
- Fixed Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding ([GHSA-p7c7-7c47-pwch]).
- Upstream security fix: bumped `com_github_wasmtime` to resolve CVE-2026-47261.