Solo distribution of Istio changelog

1.26.4

Solo build of Istio version 1.26.4 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.3 and 1.26.4.

Security Notice

This build includes fixes of the Envoy CVEs:

CVE-2025-55162 (CVSS score: 6.3, Moderate): “oAuth2 Filter Signout route will not clear cookies because of missing ‘Secure;’ flag.”
CVE-2025-54588 (CVSS score: 7.5, High): “Use after free in DNS cache”

General

This version was built against upstream Istio release 1.26.4.

Added the telemetry field pilot_xds_recv_max to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1.

1.26.5 1.26.3-patch1