Announcing Istio 1.28.9

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.28.8 and 1.28.9.

Security update

For more information, see ISTIO-SECURITY-2026-005.

Envoy CVEs

• GHSA-p7c7-7c47-pwch: (CVSS score 7.5): Fixed a denial-of-service vulnerability in the HTTP/3 stack via QPACK blocked decoding. When a QPACK header block was blocked waiting for dynamic table updates, the HEADERS payload bytes were released from QUIC receive-flow-control accounting while still retained in an internal decoder heap buffer, allowing a remote attacker to drive unbounded memory growth and trigger an out-of-memory condition.
• CVE-2026-47692: (CVSS score 4.8): Fixed a bug where passthrough TLVs combined with added TLVs could exceed the maximum length, resulting in a mismatch between the size reported in the header and the number of bytes written. This could allow a smuggled request from the host writing the PROXY protocol header to the upstream host.
• CVE-2026-47207: (CVSS score 6.5): Fixed a bug where the ext_proc server sends unexpected ProcessingResponses to Envoy.
• CVE-2026-47205: (CVSS score 5.9): Fixed a use-after-free crash in the ext_authz filter when per-route service overrides are active and the downstream connection resets during an in-flight authorization check.
• CVE-2026-47221: (CVSS score 5.9): Fixed an issue when handling HTTP 303 internal redirects for body-less requests. The redirect handling code attempted to drain a request body buffer that was never allocated, causing a segmentation fault.
• CVE-2026-48044: (CVSS score 7.5): Fixed a memory exhaustion vulnerability in the Zstd decompressor where the MaxInflateRatio limit was only checked after each input slice was fully processed, allowing a maliciously crafted compressed payload to expand to hundreds of MB within a single process() call. The inflate ratio limit is now enforced inside the inner decompression loop, matching the gzip and brotli decompressors and aborting decompression as soon as the threshold is breached.
• CVE-2026-48090: (CVSS score 5.9): Fixed a bug where the asynchronous token change callback could be triggered after the filter had been torn down (onDestroy() had been called), which could lead to accessing dangling pointers and result in UAF/crash.
• CVE-2026-47778: (CVSS score 4.4): Fixed an issue where Envoy could fail to validate the Subject Alternative Name (SAN) of a peer certificate if the SAN contained an embedded NUL byte. Previously, the SAN parsing was vulnerable to NUL byte truncation in some configurations, potentially leading to incorrect trust decisions.
• CVE-2026-47204: (CVSS score 6.5): Fixed a crash or use-after-free when gRPC stats filter performs stat tracking on a direct response route.
• CVE-2026-48497: (CVSS score 5.9): Fixed sanity checking of the query name length to avoid abnormal process termination. Use ENVOY_BUG in case the sanity check fails.
• CVE-2026-48706: (CVSS score 5.9): Fixed a TcpStatsdSink buffer overflow issue with a large stats name.
• CVE-2026-48743: (CVSS score 7.5): Fixed HTTP/3 headers-only request and response content-length validation and reset stream if inconsistent. The change is guarded by runtime guard envoy.reloadable_features.quic_validate_headers_only_content_length.
• CVE-2026-47775: (CVSS score 6.8): Addressed a padding oracle in the OAuth2 filter’s AES-256-CBC cookie decryption. The filter now supports AES-256-GCM encryption with a gcm. algorithm marker, which authenticates the ciphertext and removes the oracle.
• CVE-2026-48042: (CVSS score 7.5): Limited JSON nesting depth to 1000. The limit could be relaxed to 10K by setting the envoy.reloadable_features.limit_json_parser_nesting_depth to false.