.. _version_history_1.36.5:

1.36.5 (March 10, 2026)
========================






Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **http**: Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
  destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
  had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
  ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
* **json**: Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
  when the input string ends with a control character.
* **network**: Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
* **oauth2**: Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
* **ratelimit**: Fixed a bug in the gRPC rate limit client where the client could get into a bad state if the
  callbacks were not properly released after a request completion, leading to potential use-after-free
  issues. The fix ensures that callbacks and request references are cleared after completion, and adds
  assertions to enforce correct usage patterns.
* **rbac**: Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
  into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
  The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.