v1.36.9
Breaking Changes📦 envoyView on GitHub →
⚠ 1 breaking🐛 15 fixes🔧 1 symbols
Summary
Release v1.36.9 primarily incorporates numerous upstream security fixes from Envoy, addressing vulnerabilities ranging from crashes and buffer overflows to protocol smuggling and DoS risks. Additionally, the Intel DLB connection balancer extension has been disabled due to upstream source breakage.
⚠️ Breaking Changes
- The contrib extension `envoy.network.connection_balance.dlb` (Intel DLB connection balancer) has been disabled at the Bazel layer for all builds and platforms due to a source archive breakage. Users relying on this extension must use local workarounds as described in https://github.com/envoyproxy/envoy/issues/45491.
Migration Steps
- If using the Intel DLB connection balancer (`envoy.network.connection_balance.dlb`), consult https://github.com/envoyproxy/envoy/issues/45491 for local workarounds, as it is disabled by default.
🐛 Bug Fixes
- Addressed Authz per route crash ([CVE-2026-47205]).
- Fixed issue where ext_proc response was sent in one gRPC message ([CVE-2026-47207]).
- Resolved router internal redirects crash ([CVE-2026-47221]).
- Patched OAuth2 code verifier padding oracle vulnerability ([CVE-2026-47775]).
- Mitigated zstd RLE zip bomb vulnerability ([CVE-2026-48044]).
- Fixed grpc_stats filter segfault on Connect protocol requests to direct_response routes ([CVE-2026-47204]).
- Prevented PROXY Protocol v2 header generator from emitting "skipped" TLVs, avoiding 65 KB attacker-controlled spillover into the upstream application stream ([CVE-2026-47692]).
- Fixed Embedded NUL in TLS SAN Truncation leading to Auth Bypass ([CVE-2026-47778]).
- Resolved stack overflow in destructor of highly nested JSON ([CVE-2026-48042]).
- Fixed OAuth2 filter late async token completion after stream teardown which risked UAF/crash ([CVE-2026-48090]).
- Resolved abnormal process termination in DNS UDP filter ([CVE-2026-48497]).
- Fixed HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length ([CVE-2026-48743]).
- Patched Envoy Heap Buffer Overflow in TcpStatsdSink ([CVE-2026-48706]).
- Fixed Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding ([GHSA-p7c7-7c47-pwch]).
- Resolved CVE-2026-47261 by bumping `com_github_wasmtime`.