Change8

v1.38.3

Breaking Changes
📦 envoyView on GitHub →
1 breaking🐛 16 fixes🔧 3 symbols

Summary

This release primarily focuses on numerous security fixes across various components, including Authz, HTTP/3, TLS, and various filters. It also disables the Intel DLB connection balancer extension by default.

⚠️ Breaking Changes

  • The contrib extension "envoy.network.connection_balance.dlb" (Intel DLB connection balancer) is disabled at the Bazel layer for all builds and platforms due to a source archive breakage. Local workarounds are available via https://github.com/envoyproxy/envoy/issues/45491.

Migration Steps

  1. If using the Intel DLB connection balancer, note that it is disabled by default; consult https://github.com/envoyproxy/envoy/issues/45491 for local workarounds if needed.

🐛 Bug Fixes

  • Fixed Authz per route crash ([CVE-2026-47205](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j)).
  • Fixed ext_proc response handling in one gRPC message ([CVE-2026-47207](https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv)).
  • Fixed router internal redirects crash ([CVE-2026-47221](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr)).
  • Fixed REQUESTED_SERVER_NAME crash ([CVE-2026-47220](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v)).
  • Fixed OAuth2 code verifier padding oracle vulnerability ([CVE-2026-47775](https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p)).
  • Fixed zstd RLE zip bomb vulnerability ([CVE-2026-48044](https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg)).
  • Fixed grpc_stats filter segfault on Connect protocol requests to direct_response routes ([CVE-2026-47204](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6)).
  • Fixed PROXY Protocol v2 header generator emitting "skipped" TLVs, causing spillover into upstream application stream ([CVE-2026-47692](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r)).
  • Fixed Embedded NUL in TLS SAN Truncation leading to Auth Bypass ([CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7)).
  • Fixed stack overflow in destructor of highly nested JSON ([CVE-2026-48042](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv)).
  • Fixed OAuth2 filter late async token completion after stream teardown risk ([CVE-2026-48090](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f)).
  • Fixed abnormal process termination in DNS UDP filter ([CVE-2026-48497](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q)).
  • Fixed HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length ([CVE-2026-48743](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf)).
  • Fixed Envoy Heap Buffer Overflow in TcpStatsdSink ([CVE-2026-48706](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4)).
  • Fixed Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding ([GHSA-p7c7-7c47-pwch]).
  • Bumped ``com_github_wasmtime`` to resolve CVE-2026-47261.

Affected Symbols