Announcing Istio 1.28.8
Istio 1.28.8 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.28.7 and 1.28.8.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security Update
- CVE-2026-47774 (CVSS score 7.5, High): An unauthenticated remote attacker can cause denial of service by exhausting memory in the Envoy process. Cookie header bytes are not fully accounted for during request header size validation, and HPACK header block limits are enforced on encoded bytes without a corresponding limit on total decoded header size, allowing attackers to trigger excessive memory consumption through specially crafted HTTP/2 requests.
Changes
Fixed an issue where HTTPS listeners defined via
ListenerSetfailed to deliver TLS certificates when the parentGatewayused manual deployment. (Issue #59535)Fixed an issue where
HTTPRouteandGRPCRoutefilters with invalid header values were silently dropped from the Envoy config instead of reporting an invalid filter status. (Issue #59933)Fixed an ambient mode bug where a single
ServicecombiningpublishNotReadyAddresses: truewith aPreferSameZoneorPreferSameNodetraffic distribution caused ztunnel to receivehealthPolicy: AllowAllfor every otherServiceusing the same traffic-distribution preset, leading to traffic being routed to not-ready endpoints cluster-wide. (Issue #60422)