v1.36.9
repo: Release v1.36.9
Summary of changes:
-
Upstream security fixes:
- CVE-2026-47205:Authz per route crash
- CVE-2026-47207: ext_proc response in one gRPC message
- CVE-2026-47221: router internal redirects crash
- CVE-2026-47775: OAuth2 code verifier padding oracle
- CVE-2026-48044: zstd RLE zip bomb
- CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
- CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
- CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
- CVE-2026-48042: Stack overflow in destructor of highly nested JSON
- CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
- CVE-2026-48497: Abnormal process termination in DNS UDP filter
- CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
- CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
- GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding
-
Upstream security fixes:
- CVE-2026-47261: wasm: bumped
com_github_wasmtimeto resolve CVE-2026-47261.
- CVE-2026-47261: wasm: bumped
-
Behavior changes:
- build: disabled the contrib extension
envoy.network.connection_balance.dlb(Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.
- build: disabled the contrib extension
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.9/version_history/v1.36/v1.36.9
Full changelog:
v1.36.8...v1.36.9