Summary of changes:
-
Security fixes:
- CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards
mutable_max_request_headers_kbandmax_headers_countlimits, protecting against an HPACK cookie-bomb that could cause excessive memory usage. This can be reverted withenvoy.reloadable_features.http2_include_cookies_in_limits. - oauth2: fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
- oauth2: fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a
HeaderStringvalidation assert. - CVE-2026-27135: http2: applied nghttp2 CVE-2026-27135 patch.
- CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards
-
Bug fixes:
- load_report: fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.
-
New features:
- stats: added support to remove unused metrics from memory for extensions that support evictable metrics, done periodically during metric flush using
stats_eviction_interval. - stats: added support to limit the number of stats stored in each stats scope in the stats library.
- stats: added support to remove unused metrics from memory for extensions that support evictable metrics, done periodically during metric flush using
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.11
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.11/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.11/version_history/v1.35/v1.35.11
Full changelog:
v1.35.10...v1.35.11
Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Ryan Northey ryan@synca.io