fix(deps): update module github.com/cilium/cilium to v1.18.8 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.18.1 → v1.18.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-33726

Impact

Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled.

Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment.

Patches

This issue was fixed by #​44693.

This issue affects:

• Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
• Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
• All versions of Cilium prior to v1.17.13

This issue is fixed in:

• Cilium v1.19.2
• Cilium v1.18.8
• Cilium v1.17.14

Workarounds

Disclaimer: There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.

Acknowledgements

The Cilium community has worked together with members of the Northflank and Isovalent teams to prepare these mitigations. Cilium thanks @​sudeephb and @​Champ-Goblem for reporting the issue and to @​smagnani96 and @​julianwiedmann for helping with the resolution.

For more information

Anyone who believes a vulnerability affecting Cilium has been found is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and any such report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.18.8: 1.18.8

Compare Source

Known issues

• Users who deploy Cilium on GKE should skip this version or upgrade to 1.19.2 due to a known regression.

Summary of Changes

Minor Changes:

• Allow to attach Cilium's XDP program on network interfaces that have jumbo MTU configured and support xdp.frags program type. (Backport PR #​44499, Upstream PR #​41967, @​viktor-kurchenko)

Bugfixes:

• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44758, Upstream PR #​44658, @​smagnani96)
• cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44519, Upstream PR #​44443, @​aanm)
• Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44499, Upstream PR #​44209, @​dylandreimerink)
• Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44592, Upstream PR #​44540, @​tklauser)
• Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR #​44021, Upstream PR #​43999, @​EmilyShepherd)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44592, Upstream PR #​44512, @​0xch4z)
• Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44519, Upstream PR #​44462, @​liyihuang)
• Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44700, Upstream PR #​44513, @​akos011221)
• gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44519, Upstream PR #​44492, @​youngnick)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44804, Upstream PR #​44693, @​smagnani96)
• loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44399, Upstream PR #​44286, @​mhofstetter)

CI Changes:

• gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #​44519, Upstream PR #​44381, @​julianwiedmann)

Misc Changes:

• chore(deps): update all github action dependencies (v1.18) (#​44372, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44480, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44579, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44681, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44791, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​44369, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44580, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44678, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.8 (v1.18) (#​44810, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.18) (#​44344, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.18) (#​44401, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.18) (#​44577, @​cilium-renovate[bot])
• chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.18) (#​44679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.18) (#​44476, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.18) (#​44797, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.18) (#​44575, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.18) (#​44370, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.18) (#​44680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.18) (#​44371, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.18) (#​44478, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.18) (#​44676, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.18) (#​44789, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.18) (#​44807, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44252, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44479, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44677, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44790, @​cilium-renovate[bot])
• Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #​44399, Upstream PR #​44302, @​darox)
• fix(deps): update k8s.io patch updates stable (v1.18) (#​44477, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.33.9 (v1.18) (patch) (#​44578, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 0f775a3 (v1.18) (#​44576, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 15301c2 (v1.18) (#​44675, @​cilium-renovate[bot])
• loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR #​44519, Upstream PR #​44323, @​mhofstetter)

Other Changes:

• [1.18] gha: Use eks 1.32 from us-west-2 (#​44753, @​sayboras)
• [v1.18] endpoint/bpf: remove change empty condition for updateEnvoy (#​44616, @​liyihuang)
• [v1.18] gh: verifier: disable RHEL8 (#​44317, @​julianwiedmann)
• [v1.18] loadbalancer: Fix flake in hybrid-dsr.txtar (#​44756, @​julianwiedmann)
• install: Update image digests for v1.18.7 (#​44326, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.8@​sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.8@​sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5

docker-plugin

quay.io/cilium/docker-plugin:v1.18.8@​sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7

hubble-relay

quay.io/cilium/hubble-relay:v1.18.8@​sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.8@​sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252

operator-aws

quay.io/cilium/operator-aws:v1.18.8@​sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3

operator-azure

quay.io/cilium/operator-azure:v1.18.8@​sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332

operator-generic

quay.io/cilium/operator-generic:v1.18.8@​sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62f

operator

quay.io/cilium/operator:v1.18.8@​sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58

v1.18.7: 1.18.7

Compare Source

Summary of Changes

Minor Changes:

• Exclude topology.kubernetes.io labels from security labels by default (Backport PR #​43777, Upstream PR #​43725, @​moscicky)
• hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #​44004, Upstream PR #​43644, @​puwun)

Bugfixes:

• Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43912, @​fgiloux)
• bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #​43923, Upstream PR #​43868, @​br4243)
• bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #​43886, Upstream PR #​43069, @​borkmann)
• clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #​44056, Upstream PR #​43807, @​MrFreezeex)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43756, Upstream PR #​43095, @​aditighag)
• Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #​43861, Upstream PR #​43196, @​yushoyamaguchi)
• Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43949, @​giorio94)
• helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44281, Upstream PR #​44159, @​puwun)
• loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #​43777, Upstream PR #​43620, @​imroc)
• Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44281, Upstream PR #​43517, @​pasteley)

CI Changes:

• fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR #​44056, Upstream PR #​42009, @​AritraDey-Dev)
• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44115, @​julianwiedmann)
• gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #​44004, Upstream PR #​43921, @​giorio94)
• gke: lower scope of ESP firewall rule (Backport PR #​43865, Upstream PR #​43691, @​marseel)

Misc Changes:

• .github/workflows: use proper directory structure for GH actions (#​43760, @​aanm)
• chore(deps): update all github action dependencies (v1.18) (#​43845, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43984, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44253, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​43839, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43840, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43983, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44098, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) (#​43844, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) (#​44096, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.18) (#​44249, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.18) (#​43979, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.18) (#​43980, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.18) (#​44250, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) (#​43841, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) (#​43842, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) (#​43981, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) (#​44251, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) (#​44260, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43843, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43982, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44097, @​cilium-renovate[bot])
• docs: add helm underlayProtocol value to documentation (Backport PR #​44056, Upstream PR #​43934, @​aanm)
• docs: adjust URL to latest stable Hubble CLI version (Backport PR #​43777, Upstream PR #​43745, @​tklauser)
• docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #​44056, Upstream PR #​44042, @​EmilyShepherd)
• docs: Update docsearch to v4.5.4 (Backport PR #​44273, Upstream PR #​44233, @​joestringer)
• Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR #​44056, Upstream PR #​43481, @​suunj)
• gitattributes: make install/kubernetes driver match more specific. (Backport PR #​44056, Upstream PR #​43943, @​tommyp1ckles)
• multicast: fix nil assignment to node configuration cell.Out map (Backport PR #​43865, Upstream PR #​40859, @​ldelossa)
• workflows: Add id-token permission to call-publish-helm job (Backport PR #​43777, Upstream PR #​43717, @​aanm)

Other Changes:

• .github/workflows: remove stable from v1.18 branch (#​44153, @​aanm)
• [v1.18] Backport setup gke cluster (#​43793, @​Artyop)
• install: Update image digests for v1.18.6 (#​43714, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa

docker-plugin

quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9

hubble-relay

quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0

operator-aws

quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45

operator-azure

quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f

operator-generic

quay.io/cilium/operator-generic:v1.18.7@​sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7

operator

quay.io/cilium/operator:v1.18.7@​sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f

v1.18.6: 1.18.6

Compare Source

Summary of Changes

Major Changes:

• Publish Helm charts to OCI registries (Backport PR #​43689, Upstream PR #​43624, @​aanm)

Minor Changes:

• Cilium Preflight check no longer includes Envoy Configmaps, making it easier to correctly run. (Backport PR #​43290, Upstream PR #​43153, @​youngnick)
• runtime: Add libatomic1 for cilium-envoy dependency (Backport PR #​43642, Upstream PR #​43292, @​sayboras)

Bugfixes:

• bpf:wireguard: delivery host packets to bpf_host for ingress policies (Backport PR #​43690, Upstream PR #​42892, @​smagnani96)
• cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled (Backport PR #​43290, Upstream PR #​43256, @​mhofstetter)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43425, Upstream PR #​43095, @​aditighag)
• Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR #​43676, Upstream PR #​43566, @​fristonio)
• Fix GC of possible duplicated identities in kvstore mode (Backport PR #​43425, Upstream PR #​43287, @​giorio94)
• Fixes a deadlock that was causing endpoint to be stuck without progressing with any updates. (Backport PR #​43290, Upstream PR #​43242, @​marseel)
• gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced resource. (Backport PR #​43290, Upstream PR #​43254, @​youngnick)
• xds: fix nil-pointer in processRequestStream (Backport PR #​43612, Upstream PR #​43609, @​mhofstetter)

CI Changes:

• bpf: tests: egressgw: enable HostFW (Backport PR #​43337, Upstream PR #​42955, @​julianwiedmann)
• bpf: tests: egressgw: install ipcache_v6_add_world_entry() (Backport PR #​43337, Upstream PR #​42988, @​julianwiedmann)
• chore: comment job to use generated token instead of PAT (Backport PR #​43612, Upstream PR #​43148, @​sekhar-isovalent)
• ci: Use newer lvh image for privileged tests (Backport PR #​43490, Upstream PR #​41082, @​rastislavs)

Misc Changes:

• .github/workflows: remove auto-requested reviewers (Backport PR #​43425, Upstream PR #​42952, @​aanm)
• Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR #​43425, Upstream PR #​40272, @​syedazeez337)
• bpf: clear mark content before storing the cluster ID (Backport PR #​43290, Upstream PR #​43159, @​giorio94)
• bpf: prevent cluster ID from being incorrectly retrieved from mark when aliased (Backport PR #​43290, Upstream PR #​43258, @​giorio94)
• chore(deps): update all github action dependencies (v1.18) (#​43467, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43665, @​cilium-renovate[bot])
• chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18) (#​43512, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43543, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43664, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 2383baa (v1.18) (#​43662, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.11 docker digest to 54528d1 (v1.18) (#​43464, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7 (v1.18) (#​43465, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18) (#​43539, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18) (#​43638, @​cilium-renovate[bot])
• chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18) (#​43541, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43466, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43542, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43571, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43663, @​cilium-renovate[bot])
• cmapisrv/test: miscellaneous fixes to the ciliumidentities script test (Backport PR #​43425, Upstream PR #​43372, @​giorio94)
• docs: Add missing IPv6 fragmentation BPF map reference (Backport PR #​43290, Upstream PR #​43161, @​doniacld)
• Fix a regression in the new services control plane where loadBalancerSourceRanges was applied by default to all service types. (Backport PR #​43575, Upstream PR #​42351, @​borkmann)
• operator: the K8s Secret synchronization process now resynchronizes after an hour for synced Secrets. (Backport PR #​43425, Upstream PR #​42414, @​youngnick)
• release: change OCI registry (Backport PR #​43689, Upstream PR #​43646, @​aanm)
• route: install ingress proxy routes with WireGuard and L7Proxy (Backport PR #​43434, Upstream PR #​42835, @​smagnani96)

Other Changes:

• [v1.18] bpf:hubble: support policy verdict from L3 devices (#​43381, @​smagnani96)
• [v1.18] deps: bump CNI plugins version to v1.9.0 (#​43593, @​diyi0926)
• install: Update image digests for v1.18.5 (#​43400, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.6@​sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4
quay.io/cilium/cilium:stable@sha256:42ec562a5ff6c8a860c0639f5a7611685e253fd9eb2d2fcdade693724c9166a4

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.6@​sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b
quay.io/cilium/clustermesh-apiserver:stable@sha256:8ee142912a0e261850c0802d9256ddbe3729e1cd35c6bea2d93077f334c3cf3b

docker-plugin

quay.io/cilium/docker-plugin:v1.18.6@​sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f
quay.io/cilium/docker-plugin:stable@sha256:7931555ad713a48a28e4bf097402e0e398461dbf51b81cb8192558c5cb0dc48f

hubble-relay

quay.io/cilium/hubble-relay:v1.18.6@​sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e
quay.io/cilium/hubble-relay:stable@sha256:fb6135e34c31e5f175cb5e75f86cea52ef2ff12b49bcefb7088ed93f5009eb8e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.6@​sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c
quay.io/cilium/operator-alibabacloud:stable@sha256:212c4cbe27da3772bcb952b8f8cbaa0b0eef72488b52edf90ad2b32072a3ca4c

operator-aws

quay.io/cilium/operator-aws:v1.18.6@​sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb
quay.io/cilium/operator-aws:stable@sha256:47dbc1a5bd483fec170dab7fb0bf2cca3585a4893675b0324d41d97bac8be5eb

operator-azure

quay.io/cilium/operator-azure:v1.18.6@​sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1
quay.io/cilium/operator-azure:stable@sha256:a57aff47aeb32eccfedaa2a49d1af984d996d6d6de79609c232e0c4cf9ce97a1

operator-generic

quay.io/cilium/operator-generic:v1.18.6@​sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af
quay.io/cilium/operator-generic:stable@sha256:34a827ce9ed021c8adf8f0feca131f53b3c54a3ef529053d871d0347ec4d69af

operator

quay.io/cilium/operator:v1.18.6@​sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b
quay.io/cilium/operator:stable@sha256:0e8903aa092025918761d24ae9a91af35baa5b6910b5d0e3feac91ab8a2bc65b

v1.18.5: 1.18.5

Compare Source

Summary of Changes

Minor Changes:

• [v1.18] proxy: Bump envoy version to v1.34.11 (#​43143, @​sayboras)
• Change the sidecar etcd instance of the Cluster Mesh API Server listen on all IP addresses (Backport PR #​42948, Upstream PR #​42818, @​giorio94)

Bugfixes:

• allow missing verbs for cilium-agent cluster role when readSecretsOnlyFromSecretsNamespace is false (Backport PR #​42948, Upstream PR #​42790, @​kraashen)
• AWS EC2: Fix ENI attachment on multi-network card instances with high-performance networking (EFA) setups (Backport PR #​42745, Upstream PR #​42512, @​41ks)
• CiliumEnvoyConfig proxy ports are now restored on agent restarts. (Backport PR #​43117, Upstream PR #​43108, @​jrajahalme)
• Cleanup FQDNs that have leaked into the global FQDN cache (Backport PR #​42864, Upstream PR #​42485, @​sjohnsonpal)
• Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport PR #​42948, Upstream PR #​42887, @​jrajahalme)
• ENI: Fix panic on nil subnet (Backport PR #​43117, Upstream PR #​43023, @​HadrienPatte)
• Ensure cilium-agent gracefully does fallbacks when etcd is in a bad state. (Backport PR #​43059, Upstream PR #​42977, @​odinuge)
• Fix a bug that would cause Cilium to not report L4 checksum update errors when the length attribute is missing in ICMP Error messages with TCP inner packets. (Backport PR #​42828, Upstream PR #​42426, @​yushoyamaguchi)
• Fix a bug that would cause IPsec logs to incorrectly report the XFRM rules being processed as "Ingress" rules. (Backport PR #​42828, Upstream PR #​42640, @​sjohnsonpal)
• Fix agent local identity leak (Backport PR #​43117, Upstream PR #​42662, @​odinuge)
• Fix bug that could cause the agent to fail to add XFRM states when IPsec is enabled, thus preventing a proper startup. (Backport PR #​42948, Upstream PR #​42666, @​pchaigno)
• Fix GC of per-cluster ctmap entries (Backport PR #​43294, Upstream PR #​43160, @​giorio94)
• Fix ipcache issues causing severe issues with the fqdn subsystem (Backport PR #​42864, Upstream PR #​42815, @​odinuge)
• Fix issue where endpoints got stuck in "waiting-to-regenerate" (Backport PR #​42948, Upstream PR #​42856, @​odinuge)
• Fix leak in the policy subsystem (Backport PR #​43117, Upstream PR #​42661, @​odinuge)
• Fix rare kvstore issue where cilium continues to use an expired lease causing kvstore operations to fail consistently (Backport PR #​42745, Upstream PR #​42709, @​odinuge)
• fqdn: Fix fqdn subsystem correctness issues causing packet drops and inconsistent ipcache (Backport PR #​43117, Upstream PR #​42500, @​odinuge)
• In rare cases, the cilium-operator losing the lead of the HA deployment could continue acting as if leading for at most a minute, leading to split-brain problems such as double allocation of pod CIDRs. (Backport PR #​43059, Upstream PR #​42920, @​bimmlerd)
• KVStoreMesh now correctly respects the CA bundle setting when validating remote cluster certificates (Backport PR #​42828, Upstream PR #​42726, @​giorio94)
• policy: Fix rare Endpoint Selector Policy Deadlock causing policies to not be updated with new identities (Backport PR #​42864, Upstream PR #​42306, @​odinuge)
• Recreate CiliumEndpoints (k8s resource) if they are accidentally deleted. (Backport PR #​43117, Upstream PR #​42877, @​aanm)
• redirectpolicy: Avoid recomputing on pod changes that do not change resulting redirect backends (Backport PR #​42948, Upstream PR #​42814, @​joamaki)

CI Changes:

• bpf: test: add BPF Masq tests for unknown / handled protocols (Backport PR #​42711, Upstream PR #​42144, @​julianwiedmann)
• bpf: test: egressgw: fix up ENABLE_MASQUERADE (Backport PR #​42966, Upstream PR #​42912, @​julianwiedmann)
• bpf: tests: add BPF MASQ test for ICMP ECHOs (Backport PR #​42711, Upstream PR #​42656, @​julianwiedmann)
• bpf: tests: set ENABLE_MASQUERADE_IPV6 for EGW XDP test (Backport PR #​43059, Upstream PR #​42962, @​julianwiedmann)
• bpf:test: cover host endpoint case in tc_nodeport_l3_dev.h (Backport PR #​43059, Upstream PR [#​42983](https://redirect.github.com/cilium/cilium/issues/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-viper/mapstructure/v2	v2.3.0 -> v2.4.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/cilium/ebpf	v0.19.0 -> v0.20.1-0.20260218191617-ee67e7f43dd9
github.com/cilium/statedb	v0.4.5 -> v0.4.6
github.com/vishvananda/netlink	v1.3.1 -> v1.3.2-0.20250926155043-cd3cb2e12c97
k8s.io/kubectl	v0.33.3 -> v0.33.9
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20260210185600-b8788abfbbc2