1.28.6

Solo build of Istio version 1.28.6 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.5-patch0 and 1.28.6.

Security Notice

This release bumps the Go version to 1.25.9, which includes fixes for the following security vulnerabilities in the Go crypto packages:

CVE-2026-32280 (CVSS 7.5, High) (crypto/x509): During chain building, the amount of work performed is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
CVE-2026-32281 (Unscored, Undergoing Analysis) (crypto/x509): Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains.
CVE-2026-32283 (Unscored, Undergoing Analysis) (crypto/tls): If one side of a TLS 1.3 connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
CVE-2026-33810 (Unscored, Undergoing Analysis) (crypto/x509): When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs that use a different case than the constraint. For example, if a certificate contains the DNS name *.example.com and the excluded DNS name EXAMPLE.COM, the constraint will not be applied. This only affects validation of otherwise trusted certificate chains.

Added a --revision (-r) flag to istioctl bootstrap, allowing users to target a specific control plane revision. When set, the command looks up istiod-{revision} instead of the default istiod service.

No changes in this section.