Change8

v1.35.13

Breaking Changes
📦 envoyView on GitHub →
1 breaking🐛 14 fixes🔧 11 symbols

Summary

This release primarily focuses on addressing numerous critical security vulnerabilities across various components, including HTTP/3, OAuth2, and various filters. Additionally, the Intel DLB connection balancer extension has been disabled due to upstream issues.

⚠️ Breaking Changes

  • The contrib extension `envoy.network.connection_balance.dlb` (Intel DLB connection balancer) has been disabled at the Bazel layer for all builds and platforms due to a source archive breakage. Users relying on this extension must use local workarounds mentioned in https://github.com/envoyproxy/envoy/issues/45491.

Migration Steps

  1. If you were using the `envoy.network.connection_balance.dlb` extension, consult https://github.com/envoyproxy/envoy/issues/45491 for local workarounds, as this extension is disabled by default in this release.

🐛 Bug Fixes

  • Fixed issue related to ext_proc response in one gRPC message ([CVE-2026-47207]).
  • Fixed router internal redirects crash ([CVE-2026-47221]).
  • Fixed OAuth2 code verifier padding oracle vulnerability ([CVE-2026-47775]).
  • Fixed zstd RLE zip bomb vulnerability ([CVE-2026-48044]).
  • Fixed grpc_stats filter segfault on Connect protocol requests to direct_response routes ([CVE-2026-47204]).
  • Fixed PROXY Protocol v2 header generator emitting "skipped" TLVs causing 65 KB attacker-controlled spillover into the upstream application stream ([CVE-2026-47692]).
  • Fixed Embedded NUL in TLS SAN Truncation leading to Auth Bypass ([CVE-2026-47778]).
  • Fixed stack overflow in destructor of highly nested JSON ([CVE-2026-48042]).
  • Fixed OAuth2 filter late async token completion after stream teardown which risked UAF/crash ([CVE-2026-48090]).
  • Fixed DNS filter abnormal process termination on long query name ([CVE-2026-48497]).
  • Fixed HTTP/3 headers-only request/response content-length validation ([CVE-2026-48743]).
  • Fixed TcpStatsdSync buffer overflow when using large stats names ([CVE-2026-48706]).
  • Fixed Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding ([GHSA-p7c7-7c47-pwch]).
  • Upstream security fix: bumped `com_github_wasmtime` to resolve CVE-2026-47261.

Affected Symbols