v1.36.5
📦 envoyView on GitHub →
🐛 6 fixes🔧 5 symbols
Summary
This release focuses primarily on security fixes addressing multiple CVEs related to crashes, header bypasses, and memory corruption. It also includes a bug fix for OAuth2 refresh requests.
🐛 Bug Fixes
- Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
- Ratelimit: fixed a bug where response phase limit may result in crash ([CVE-2026-26330](https://github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3)).
- Fixed multivalue header bypass in rbac ([CVE-2026-26308](https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5)).
- Fixed crash in getAddressWithPort() when called with a scoped IPv6 address ([CVE-2026-26310](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cw6-2j68-868p)).
- Fixed an off-by-one write that could corrupt the string null terminator in json processing ([CVE-2026-26309](https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943)).
- Ensured decode* methods are blocked after a downstream reset in http handling ([CVE-2026-26311](https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px)).