Buoyant Enterprise for Linkerd

March 9, 2026

The 2.19.5 stable point release updates some dependencies to address reported CVEs in underlying components.

Who should upgrade?

This is a CVE hygiene release and does not fix any known exploitable vulnerabilities with Linkerd. Users may upgrade to this release at their convenience.

Upgrade guidance

This is a stable point release designed to introduce minimal change. Please see the instructions in Upgrading BEL for how to upgrade.

To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.39.0 or later.

Changelog

• Update bytes crate to remediate CVE-2026-25541
• Update time crate to remediate CVE-2026-25727
• Update aws-lc-sys crate to remediate
  • CVE-2026-3336
  • GHSA-65p9-r9h6-22vj
  • GHSA-hfpc-8r3f-gw53
• Update golang to remediate
  • CVE-2025-61732
  • CVE-2025-68119
  • CVE-2025-68121
  • CVE-2025-61731
  • CVE-2025-61730
  • CVE-2025-61728
  • CVE-2025-61726
• Update Debian to remediate
  • CVE-2026-22795
  • CVE-2025-69420
  • CVE-2025-69419
  • CVE-2025-69418
  • CVE-2026-22796
  • CVE-2025-15467
  • CVE-2025-69421
  • CVE-2025-68160
  • CVE-2025-15468
  • CVE-2025-15469
  • CVE-2025-66199
  • CVE-2025-11187