github envoyproxy/envoy v1.36.9
on GitHub

latest releases: v1.38.3, v1.37.5
5 hours ago

repo: Release v1.36.9

Summary of changes:

  • Upstream security fixes:

    • CVE-2026-47205:Authz per route crash
    • CVE-2026-47207: ext_proc response in one gRPC message
    • CVE-2026-47221: router internal redirects crash
    • CVE-2026-47775: OAuth2 code verifier padding oracle
    • CVE-2026-48044: zstd RLE zip bomb
    • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
    • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
    • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
    • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
    • CVE-2026-48497: Abnormal process termination in DNS UDP filter
    • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
    • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
    • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

  • Upstream security fixes:

  • Behavior changes:

    • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.9/version_history/v1.36/v1.36.9
Full changelog:
v1.36.8...v1.36.9

Check out latest releases or
releases around envoyproxy/envoy v1.36.9

Don't miss a new envoy release

NewReleases is sending notifications on new releases.

Get notifications