.. _version_history_1.35.9:

1.35.9 (March 10, 2026)
========================






Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **http**: Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
  destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
  had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
  ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
* **json**: Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
  when the input string ends with a control character.
* **network**: Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
* **oauth2**: Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
* **rbac**: Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
  into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
  The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.