fix(deps): update module github.com/cilium/cilium to v1.19.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.19.2 → v1.19.3

---

Cillium exposes sensitive information included in the cilium-bugtool debug archive

CVE-2026-41520 / GHSA-gj49-89wh-h4gj

More information

Details

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled.

Users of WireGuard Transparent Encryption are affected.
The sensitive data is the WireGuard private key (cilium_wg0.key) used for node-to-node encrypted communication

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. It is also invoked when gathering sysdumps using the Cilium CLI's cilium sysdump command.

Patches

This issue affects:

• Cilium v1.19 between v1.19.0 and v1.19.2 inclusive
• Cilium v1.18 between v1.18.0 and v1.18.8 inclusive
• All versions of Cilium prior to v1.17.15

This issue has been patched in:

• Cilium v1.19.3
• Cilium v1.18.9
• Cilium v1.17.15

Workarounds

There is no workaround to this issue.

Users who have previously shared bugtool or sysdump archives from WireGuard-enabled nodes should rotate the WireGuard keys on the affected nodes. This can be done by deleting the key file and restarting the Cilium agent, which will generate a new key pair.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Cillium extends special thanks to @​kodareef5 for reporting the issue and @​tklauser for their work on triaging and remediating this issue.

For more information

If there are any questions or comments about this advisory, please reach out on Slack.

Cilium strongly encourages the reporting of suspected vulnerabilities to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and the report will be treated as top priority.

Severity

• CVSS Score: 7.9 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References

• https://github.com/cilium/cilium/security/advisories/GHSA-gj49-89wh-h4gj
• https://github.com/cilium/cilium/releases/tag/v1.17.15
• https://github.com/cilium/cilium/releases/tag/v1.18.9
• https://github.com/cilium/cilium/releases/tag/v1.19.3
• http://docs.cilium.io/en/stable/security/network/encryption-wireguard
• https://github.com/advisories/GHSA-gj49-89wh-h4gj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

• Fix performance bug in L7 policy proxy redirect handling (Backport PR #​44828, Upstream PR #​44613, @​fristonio)
• Fixes issue where the Cilium agent fails to initialise when using KVStore identity mode with etcd behind a K8s Service (Backport PR #​44828, Upstream PR #​44653, @​41ks)
• helm,docs: add configDriftDetection Helm values and documentation (Backport PR #​44974, Upstream PR #​44703, @​PhilipSchmid)

Bugfixes:

• [v1.19] Fix incorrect policy service selector handling (#​44888, @​fristonio)
• bgp: Fix potential race in service advertisements upon error retry (Backport PR #​45211, Upstream PR #​45049, @​rastislavs)
• clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (Backport PR #​44828, Upstream PR #​44738, @​MrFreezeex)
• ctmap: Change order of active maps (Backport PR #​44828, Upstream PR #​44729, @​brb)
• Ensure completion.WaitGroup always has a timeout (Backport PR #​45217, Upstream PR #​44731, @​jrajahalme)
• envoy: Fix xds server npds listeners accounting (Backport PR #​45217, Upstream PR #​44830, @​fristonio)
• Fix a slow memory leak triggered by incremental policy updates (Backport PR #​44994, Upstream PR #​44328, @​odinuge)
• Fix endpoints for static pods stuck in init identity (Backport PR #​45211, Upstream PR #​45016, @​aaroniscode)
• Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (Backport PR #​44968, Upstream PR #​41963, @​gyutaeb)
• Fix memory leak triggered by policies being created and deleted (Backport PR #​44828, Upstream PR #​44724, @​odinuge)
• Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #​45211, Upstream PR #​45021, @​pesarkhobeee)
• fix(datapath): ignore link-local IPv6 addresses for NodePort binding (Backport PR #​44974, Upstream PR #​44778, @​Bigdelle)
• Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #​44866, Upstream PR #​44832, @​christarazi)
• Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #​44818, Upstream PR #​44754, @​jrajahalme)
• Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #​45217, Upstream PR #​44597, @​jrajahalme)
• Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (Backport PR #​44974, Upstream PR #​44826, @​eufriction)
• Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #​44828, Upstream PR #​44119, @​tporeba)
• lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #​44994, Upstream PR #​44853, @​vipul-21)
• lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #​44974, Upstream PR #​44895, @​vipul-21)
• operator/identitygc: fix nil pointer dereference on shutdown (Backport PR #​45211, Upstream PR #​45091, @​tsotne95)
• wal: Do not truncate in NewWriter (Backport PR #​44974, Upstream PR #​44886, @​joamaki)
• WireGuard now respects the underlay-protocol=ipv6 setting when selecting peer endpoints in dual-stack clusters with IPv6 underlay, fixing connectivity issues where IPv4 was incorrectly used despite being unreachable across nodes. (Backport PR #​45247, Upstream PR #​44629, @​tibrezus)

CI Changes:

• .github/workflows: disable cache for go steps (Backport PR #​45211, Upstream PR #​45073, @​aanm)
• .github/workflows: replace external set-commit-status action (Backport PR #​45211, Upstream PR #​45078, @​aanm)
• .github: cleanup disk before ci-verifier tests (Backport PR #​44994, Upstream PR #​44971, @​aanm)
• allocator: handle unlikely goroutine leak (Backport PR #​44828, Upstream PR #​44589, @​asauber)
• ci: add fail-fast false to ci image builds (Backport PR #​45211, Upstream PR #​45079, @​Artyop)
• ci: fix is-workflow-call check to handle empty input (Backport PR #​45052, Upstream PR #​45020, @​aanm)
• ci: fix PR branch pull step on stable pushes (Backport PR #​45052, Upstream PR #​45019, @​Artyop)
• ci: fix pr number check for base branch retrieval (Backport PR #​45052, Upstream PR #​45024, @​Artyop)
• ci: set TMPDIR=/host/tmp in datapath verifier tests (Backport PR #​45211, Upstream PR #​45047, @​aanm)
• ci: Switch catchpoint/workflow-telemetry-action to our fork (#​45219, @​YutaroHayakawa)
• Fix some test-e2e-upgrade issues (Backport PR #​45211, Upstream PR #​45075, @​aanm)
• fix: escape $ character in regex to prevent injection (Backport PR #​44828, Upstream PR #​44638, @​peoyekunle)
• fix: harden k8s apiserver endpoint access (Backport PR #​44994, Upstream PR #​44863, @​sekhar-isovalent)
• sockets: Ensure bpffs is mounted in TestPrivilegedSocketDestroyers (Backport PR #​45052, Upstream PR #​44979, @​christarazi)

Misc Changes:

• .github/workflows: do not use deployments for environments (Backport PR #​45211, Upstream PR #​44908, @​aanm)
• [v1.19] vendor: update google.golang.org/grpc to v1.79.3 (#​45345, @​aanm)
• bgp: Disable MPTCP in the MD5 probing in the test (Backport PR #​45211, Upstream PR #​45102, @​YutaroHayakawa)
• bgp: Introduce --with-attrs option to bgp/routes (Backport PR #​45211, Upstream PR #​45015, @​YutaroHayakawa)
• bpf: lxc: limit NAT buffer lookup to per-packet LB (Backport PR #​44968, Upstream PR #​44387, @​julianwiedmann)
• bpf: Reduce scope of large variables (Backport PR #​45211, Upstream PR #​45067, @​pchaigno)
• bpf: Use global function for snat_v6_needs_masquerade (Backport PR #​44828, Upstream PR #​44544, @​pchaigno)
• bpf_lxc: improve per-packet LB for NodePort services (Backport PR #​44968, Upstream PR #​44710, @​saiaunghlyanhtet)
• chore(deps): update all github action dependencies (v1.19) (#​44934, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45038, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45169, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​44674, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45039, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45305, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44786, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.9 (v1.19) (#​45273, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.67.0 (v1.19) (#​45167, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.29 (v1.19) (#​45280, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 1487d0a (v1.19) (#​45035, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.9 docker digest to a95d3d1 (v1.19) (#​45315, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.9 (v1.19) (#​44929, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (v1.19) (#​45149, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260320123815-c9b9b51b278a (v1.19) (#​44930, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260408163332-73b2175ca510 (v1.19) (#​45302, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773729248-8de84653be3b2b3011e1cee5b3e702f6556fb3df (v1.19) (#​44931, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1774363526-9d47d40f80df306891816788b71415813ce49ef3 (v1.19) (#​45036, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.5-1775137579-2b3493aca96923190423ccec7e4dbc5f074ccad4 (v1.19) (#​45168, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1775912317-d56e4f5fec87556b7aaf3b8edeb100025ec87183 (v1.19) (#​45303, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa (v1.19) (#​45320, @​cilium-renovate[bot])
• chore(deps): update quay.io/goswagger/swagger docker tag to v0.33.2 (v1.19) (#​44932, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​45037, @​cilium-renovate[bot])
• docs: document reverse_sk map exhaustion impact on socket termination (Backport PR #​44860, Upstream PR #​44835, @​ysksuzuki)
• docs: Update sphinx theme to v3.1.0 (Backport PR #​45335, Upstream PR #​45289, @​joestringer)
• Fix EKS workflows misc errors (Backport PR #​45052, Upstream PR #​45023, @​aanm)
• fix(deps): update k8s.io patch updates stable to v0.35.3 (v1.19) (patch) (#​44933, @​cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to 28399d8 (v1.19) (#​44928, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 4b9911b (v1.19) (#​45177, @​cilium-renovate[bot])
• fix: using a local action needs checkout in eks-cluster-delete (Backport PR #​44994, Upstream PR #​44890, @​sekhar-isovalent)
• helm: Use bash instead of sh in init containers for Ubuntu 24.04 compatibility (Backport PR #​44828, Upstream PR #​44615, @​shivdesh)
• Probe support for BIG TCP for tunnels instead of relying on the config option. (Backport PR #​45211, Upstream PR #​43959, @​gentoo-root)

Other Changes:

• [v1.19] deps: bump cni plugins to v1.9.1 (#​45240, @​ferozsalam)
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.10 (v1.19) (#​45166, @​cilium-renovate[bot])
• install: Update image digests for v1.19.2 (#​44957, @​cilium-release-bot[bot])
• loadbalancer: Fix issue in resynchronization of state from api-server which may have left stale backends around until an updated EndpointSlice was received (#​45198, @​joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.3@​sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.3@​sha256:a8136a7615d6c6041d3aa6f2674d17beaec238170d669507ccc05328a778e2b7

docker-plugin

quay.io/cilium/docker-plugin:v1.19.3@​sha256:728c3903518b0b6904e7208143355b38b7e6de3b514694fb6098b25bb9457397

hubble-relay

quay.io/cilium/hubble-relay:v1.19.3@​sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.3@​sha256:176321a65123373ff8c7823b25183102cbad98375e8d6c80b96d68b6e8491103

operator-aws

quay.io/cilium/operator-aws:v1.19.3@​sha256:a53dcbfb77282bf2ddd3abbe60f6d49762e7c1389a36cb35b71d504644a56640

operator-azure

quay.io/cilium/operator-azure:v1.19.3@​sha256:699c1571a3df1a98882ee13610d47cffb7b34ee7e8d276096db798a5f6c7e4cb

operator-generic

quay.io/cilium/operator-generic:v1.19.3@​sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd

operator

quay.io/cilium/operator:v1.19.3@​sha256:9075e6944996227574762ec0118caab0145d6e67f821409c4a6756b6b6caf6ea

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: cmd/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.35.2 -> v0.35.3
k8s.io/apiextensions-apiserver	v0.35.2 -> v0.35.3
k8s.io/apimachinery	v0.35.2 -> v0.35.3
k8s.io/client-go	v0.35.2 -> v0.35.3
k8s.io/utils	v0.0.0-20260210185600-b8788abfbbc2 -> v0.0.0-20260319190234-28399d86e0b5

File name: flow/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.35.2 -> v0.35.3
k8s.io/apiextensions-apiserver	v0.35.2 -> v0.35.3
k8s.io/apimachinery	v0.35.2 -> v0.35.3
k8s.io/client-go	v0.35.2 -> v0.35.3
k8s.io/utils	v0.0.0-20260210185600-b8788abfbbc2 -> v0.0.0-20260319190234-28399d86e0b5

[kaworu]

Closing in favor of #276

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.19.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.