Skip to content

[IMPORTANT] Security patches#43877

Merged
phlax merged 5 commits intoenvoyproxy:mainfrom
phlax:patches/main
Mar 10, 2026
Merged

[IMPORTANT] Security patches#43877
phlax merged 5 commits intoenvoyproxy:mainfrom
phlax:patches/main

Conversation

@phlax
Copy link
Member

@phlax phlax commented Mar 10, 2026

  • CVE-2026-26330: ratelimit: fix a bug where response phase limit may result in crash
  • CVE-2026-26308: fix multivalue header bypass in rbac
  • CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  • CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
  • CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset

agrawroh and others added 5 commits March 10, 2026 14:53
@agrawroh @phlax
http: ensure decode* methods are blocked after a downstream reset
8a02507 
[CVE-2026-26311](GHSA-84xm-r438-86px)

Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@agrawroh @phlax
json: fixed an off-by-one write that could corrupted the string null …
f4fc477 
…terminator

[CVE-2026-26309](GHSA-56cj-wgg3-x943)

Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@agrawroh @phlax
network: fix crash in getAddressWithPort() when called with a scoped …
608e605 
…IPv6 address

[CVE-2026-26310](GHSA-3cw6-2j68-868p)

Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@botengyao @phlax
fix multivalue header bypass in rbac
0fc2490 
[CVE-2026-26308](GHSA-ghc4-35x6-crw5)

Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@wbpcode @phlax
ratelimit: fix a bug where response phase limit may result in crash
91fc77f 
[CVE-2026-26330](GHSA-c23c-rp3m-vpg3)

Signed-off-by: wbpcode <wbphub@gmail.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax phlax requested a review from yanavlasov as a code owner March 10, 2026 16:03
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Mar 10, 2026

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #43877 was opened by phlax.

see: more, trace.

@phlax phlax enabled auto-merge (rebase) March 10, 2026 16:55
@phlax
Copy link
Member Author

phlax commented Mar 10, 2026

/retest

@phlax
Copy link
Member Author

phlax commented Mar 10, 2026

/retest tsan

@phlax phlax merged commit de411b9 into envoyproxy:main Mar 10, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@botengyao botengyao botengyao approved these changes

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner

Assignees

No one assigned

Labels

security:patches

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@phlax @botengyao @agrawroh @wbpcode