Change8

v1.38.1

Breaking Changes
📦 envoyView on GitHub →
1 breaking1 features🐛 5 fixes🔧 5 symbols

Summary

This release focuses heavily on security fixes, addressing vulnerabilities in HTTP/2 header limits, HMAC verification, and AES-CBC decryption. It also includes several bug fixes and minor behavior changes regarding upstream failure reasons and load balancer rebuild coalescing.

⚠️ Breaking Changes

  • The upstream transport failure reason is no longer included in the HTTP response body sent to downstream clients. To restore this behavior, enable the runtime feature ``envoy.reloadable_features.hide_transport_failure_reason_in_response_body``.

Migration Steps

  1. If you relied on the upstream transport failure reason being present in the HTTP response body, you must enable the runtime feature ``envoy.reloadable_features.hide_transport_failure_reason_in_response_body`` to restore the previous behavior.
  2. If you wish to re-enable automatic coalescing of load balancer rebuilds during EDS batch updates, enable the runtime feature ``envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update``.

✨ New Features

  • Load balancer rebuild coalescing during EDS batch host updates is now opt-in; it can be re-enabled using ``envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update``.

🐛 Bug Fixes

  • HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards ``mutable_max_request_headers_kb`` and ``max_headers_count`` limits, mitigating an HPACK cookie-bomb vulnerability (CVE-2026-47774). This behavior can be reverted with ``envoy.reloadable_features.http2_include_cookies_in_limits``.
  • Fixed a timing side-channel in HMAC verification within oauth2 that could leak HMAC secret validity.
  • Fixed a crash in oauth2 where AES-CBC decryption of token cookies could spuriously succeed on a secret mismatch, triggering a ``HeaderString`` validation assert.
  • Applied nghttp2 CVE-2026-27135 patch for http2.
  • Fixed a crash in dynamic_modules when an HTTP filter encounters a stream already above the downstream write-buffer high watermark during filter-chain construction.

Affected Symbols