1.36.3 (December 4, 2025)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • dynamic modules: The dynamic module ABI has been updated to support streaming body manipulation. This change also fixed potential incorrect behavior when access or modify the request or response body. See https://github.com/envoyproxy/envoy/issues/40918 for more details.

  • http: Added runtime flag envoy.reloadable_features.reject_early_connect_data to reject CONNECT requests that receive data before Envoy sent a 200 response to the client. While this is not a strictly compliant behavior it is very common as a latency reducing measure. As such the option is disabled by default.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • bootstrap: Fixed an issue where the custom header_prefix will result in crash at startup.

  • http: Fixed a remote jwt_auth token fetch crash with two or more auth headers when allow_missing_or_failed is set.

  • tcp_proxy: Fixed a connection leak in the TCP proxy when the receive_before_connect feature is enabled and the downstream connection closes before the upstream connection is established.

  • tls: Fixed an issue where SANs of type OTHERNAME in a TLS cert were truncated if there was an embedded null octet, leading to incorrect SAN validation.

New features

  • dynamic modules: Added support for loading dynamic modules globally by setting load_globally to true.

  • overload management: The fixed heap resource monitor can now calculate memory pressure as currently allocated memory divided by maximum heap size, giving more accurate and lower memory pressure values. This can avoid unnecessary load shedding or overload actions. To enable, set envoy.reloadable_features.fixed_heap_use_allocated to true. The default algorithm (heap_size - pageheap_unmapped - pageheap_free) does not discount for free memory in TCMalloc caches.

  • tls_inspector: Propagate the transport error from the tls_inspector to the DownstreamTransportFailureReason in StreamInfo for access logging prior to the TLS handshake.