This release note describes the changes of Solo builds between Istio versions 1.26.3 and 1.26.4.

Security Notice

This build includes fixes of the Envoy CVEs:

  • CVE-2025-55162 (CVSS score: 6.3, Moderate): “oAuth2 Filter Signout route will not clear cookies because of missing ‘Secure;’ flag.”
  • CVE-2025-54588 (CVSS score: 7.5, High): “Use after free in DNS cache”

General

This version was built against upstream Istio release 1.26.4.

  • Added the telemetry field pilot_xds_recv_max to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1.