1.38.1 (Pending)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • router: The upstream transport failure reason (e.g. TLS certificate validation errors) is no longer included in the HTTP response body sent to downstream clients. It remains available in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.hide_transport_failure_reason_in_response_body to false. This is being changed because in many cases the upstream failure details are inappropriate to send to the downstream client as it discloses too many internal details.

  • upstream: Load balancer rebuild coalescing during EDS batch host updates is now opt-in. It was previously enabled by default. It can be re-enabled by setting the runtime guard envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update to true.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • dynamic_modules: Fixed a crashing bug in the HTTP filter when a stream was already above the downstream write-buffer high watermark at filter-chain construction time. Downstream watermark callback registration is now deferred until the in-module filter has been constructed.

  • http2: Apply nghttp2 CVE-2026-27135 patch.

  • http2: Fix: CVE-2026-47774

    HTTP/2 streams will now be reset if the stream violates the maximum header list size configured via mutable_max_request_headers_kb. Note that this is different than the per header size specified by max_header_field_size_kb. Uncompressed cookies now count towards this limit to protect Envoys against large uncompressed cookies causing excessive memory usage. Additionally, cookies now also count towards max_headers_count limits. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.http2_include_cookies_in_limits to false.

  • oauth2: Fixed a bug where HMAC verification may exposure a timing side channel that leaks information of HMAC secret validity.

  • oauth2: Fixed a crash in the OAuth2 filter where AES-CBC decryption of token cookies could spuriously succeed (~1/256) when the configured HMAC secret did not match the secret used to encrypt the cookie (for example after secret rotation, or when receiving legacy unencrypted tokens). The resulting binary “plaintext” was written back into the Cookie: request header and tripped a HeaderString validation assert. Such plaintexts are now rejected and the original cookie value is preserved, matching the behavior already documented for the explicit decryption-failure case.