envoyproxy/envoy v1.38.1

on GitHub

Summary of changes:

• Security fixes:

  • CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards mutable_max_request_headers_kb and max_headers_count limits, protecting against an HPACK cookie-bomb that could cause excessive memory usage. This can be reverted with envoy.reloadable_features.http2_include_cookies_in_limits.
  • oauth2: fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a HeaderString validation assert.
  • CVE-2026-27135: http2: applied nghttp2 CVE-2026-27135 patch.

• Bug fixes:

  • dynamic_modules: fixed a crash in the HTTP filter when a stream was already above the downstream write-buffer high watermark at filter-chain construction time.

• Minor behavior changes:

  • router: the upstream transport failure reason is no longer included in the HTTP response body sent to downstream clients (still available in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%). Revert with envoy.reloadable_features.hide_transport_failure_reason_in_response_body.
  • upstream: load balancer rebuild coalescing during EDS batch host updates is now opt-in. Re-enable with envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.38.1
Docs:
https://www.envoyproxy.io/docs/envoy/v1.38.1/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.38.1/version_history/v1.38/v1.38.1
Full changelog:
v1.38.0...v1.38.1

Signed-off-by: Jonh Wendell jonh.wendell@redhat.com
Signed-off-by: Greg Greenway ggreenway@apple.com
Signed-off-by: Ryan Northey ryan@synca.io