1.35.13 (June 23, 2026)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • build: The contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) has been disabled at the Bazel layer for all builds and platforms due to a breakage at the source archive.

    See https://github.com/envoyproxy/envoy/issues/45491 for local workarounds.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • dns_filter: Fix CVE-2026-48497

    Fix sanity checking of the query name length to avoid abnormal process termination. Use ENVOY_BUG in case sanity check fails.

  • ext_proc: Fix: CVE-2026-47207

    Fixed a bug when the ext_proc server sends packed unexpected ProcessingResponses to Envoy.

  • grpc_stats: Fix: CVE-2026-47204

    Fixed a crash or use-after-free when gRPC stats filter performs stat tracking on a direct response route.

  • json: Fix: CVE-2026-48042

    Limit JSON nesting depth at 1000. The limit could be relaxed to 10K by setting the envoy.reloadable_features.limit_json_parser_nesting_depth to false.

  • oauth2: Fix: CVE-2026-47775

    Addressed a padding oracle in the OAuth2 filter’s AES-256-CBC cookie decryption. The filter now supports AES-256-GCM encryption with a gcm. algorithm marker, which authenticates the ciphertext and removes the oracle.

    The fix is opt-in to keep rolling upgrades safe. On upgrade, the default behaviour is unchanged: cookies are still encrypted with AES-256-CBC and the CBC decrypt path is still reachable, so existing sessions and mixed-version clusters keep working. Two runtime flags control the migration:

    • envoy.reloadable_features.oauth2_use_gcm_encryption (default false) — when set to true, encrypt() produces AES-256-GCM ciphertexts prefixed with gcm.. While false (the default), encrypt() continues to emit AES-256-CBC ciphertexts with no prefix, wire-compatible with older instances.

    • envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat (default true) — when true, decrypt() accepts both gcm.-prefixed cookies (via GCM) and legacy cookies (via the legacy CBC fallback). When set to false, only gcm.-prefixed cookies decrypt, legacy CBC cookies are rejected and the affected users are redirected to the OAuth server to re-authenticate. While the CBC fallback is reachable, it partially reopens CVE-2026-47775.

    You should set envoy.reloadable_features.oauth2_use_gcm_encryption to true once you have ensured that all instances in your cluster are capable of decrypting GCM-encrypted cookies. And then, you could set envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat to false to disable the legacy CBC decryption path at appropriate time.

    Never set ``envoy.reloadable_features.oauth2_legacy_cbc_decrypt_compat`` to ``false`` before you have enabled ``envoy.reloadable_features.oauth2_use_gcm_encryption``.

    Both flags and the AES-256-CBC code paths are scheduled for removal once the migration window has elapsed.

    The OAuth2 filter exposes a new counter oauth_legacy_cbc_decrypt that increments each time a cookie is successfully decrypted via the legacy CBC fallback. Operators should watch this stat decay to zero across the migration window before flipping oauth2_legacy_cbc_decrypt_compat to false.

  • oauth2: Fix: CVE-2026-48090

    Fixed a bug where the asyncronous token change callback could be triggered after the filter had been torn down (onDestroy() had been called), which could lead to access dangling pointers and result in UAF/crash.

  • proxy_protocol: Fix: CVE-2026-47692

    Fixed a bug where passthrough TLVs combined with added TLVs could exceed the maximum length, resulting in a mismatch between the size reported in the header and the number of bytes written. This could allow a smuggled request from the host writing the PROXY protocol header to the upstream host. This behavioral change can be reverted by setting the runtime guard envoy.reloadable_features.proxy_protocol_remove_too_long_tlvs to false.

  • quic: Fix: CVE-2026-48743.

    Validate HTTP/3 headers-only request and response content-length, and reset stream if inconsistent.

    The change is guarded by runtime guard envoy.reloadable_features.quic_validate_headers_only_content_length.

  • quic: Fix: GHSA-p7c7-7c47-pwch

    Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding.

  • router: Fix: CVE-2026-47221

    Fixed an issue when handling HTTP 303 internal redirects for body-less requests. The redirect handling code attempted to drain a request body buffer that was never allocated, causing a segmentation fault.

  • tcp_statsd_sync: Fix: CVE-2026-48706

    Fixed a TcpStatsdSync buffer overflow issue with large stats name.

  • tls: Fix: [CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7)

    Fixes an issue where Envoy could fail to validate the Subject Alternative Name (SAN) of a peer certificate if the SAN contained an embedded NUL byte. Previously, the SAN parsing was vulnerable to NUL byte truncation in some configurations, potentially leading to incorrect trust decisions.

  • wasm: Bump com_github_wasmtime to resolve CVE-2026-47261.

  • zstd: Fix: CVE-2026-48044

    Fixed a memory exhaustion vulnerability in the Zstd decompressor where the MaxInflateRatio limit was only checked after each input slice was fully processed, allowing a maliciously crafted compressed payload to expand to hundreds of MB within a single process() call. The inflate ratio limit is now enforced inside the inner decompression loop, matching the gzip and brotli decompressors and aborting decompression as soon as the threshold is breached.