Envoy Security Releases [1.37.1, 1.36.5, 1.35.9, 1.34.13] are available today
4 views
Skip to first unread message
Boteng Yao
Mar 10, 2026, 1:40:18 PM (5 days ago) Mar 10
to envoy-a...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com, envoy-security, cncf-envoy-distr...@lists.cncf.io, envoy-ma...@googlegroups.com, envoy-platform-team, envoy-cl...@google.com
Hi Envoy Community,
The Envoy security team would like to announce the availability of Envoy 1.37.1, 1.36.5, 1.35.9, and 1.34.13 to address the following CVE(s):
CVE-2026-26330: The global rate limit may crash when the response phase limit is enabled and the response phase request fails directly
The Envoy security team would like to announce the availability of Envoy 1.37.1, 1.36.5, 1.35.9, and 1.34.13 to address the following CVE(s):
CVE-2026-26330: The global rate limit may crash when the response phase limit is enabled and the response phase request fails directly
CVE-2026-26308: RBAC Header Validation Bypass via Multi-Value Header Concatenation
CVE-2026-26310: Crash for scoped ip address in Envoy during DNS
CVE-2026-26311: HTTP: filter chain execution on reset streams causes a UAF crash
CVE-2026-26309: Off-by-one write in JsonEscaper::escapeString()
The releases will be published to our releases page as they become available today:
https://github.com/envoyproxy/envoy/releases
You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.
A PR to resolve these issues on the `main` branch has been raised here:
Main PR here: https://github.com/envoyproxy/envoy/pull/43877
Thanks,
Ryan Northey (@phlax)
Boteng Yao (@botengyao)
on behalf of the Envoy security team
CVE-2026-26310: Crash for scoped ip address in Envoy during DNS
CVE-2026-26311: HTTP: filter chain execution on reset streams causes a UAF crash
CVE-2026-26309: Off-by-one write in JsonEscaper::escapeString()
The releases will be published to our releases page as they become available today:
https://github.com/envoyproxy/envoy/releases
You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.
A PR to resolve these issues on the `main` branch has been raised here:
Main PR here: https://github.com/envoyproxy/envoy/pull/43877
Thanks,
Ryan Northey (@phlax)
Boteng Yao (@botengyao)
on behalf of the Envoy security team
Reply all
Reply to author
Forward
0 new messages