Buoyant Enterprise for Linkerd

May 19, 2026

The 2.19.7 stable point release updates some dependencies to address reported CVEs in underlying components.

Previous release: enterprise-2.19.6.

Supported Kubernetes versions

For this release, the minimum supported Kubernetes version remains 1.29, and the maximum supported Kubernetes version remains 1.35.

Who should upgrade?

This is a CVE hygiene release and does not fix any known exploitable vulnerabilities with Linkerd. Users may upgrade to this release at their convenience.

Upgrade guidance

This is a stable point release designed to introduce minimal change. Please see the instructions in Upgrading BEL for how to upgrade.

To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.39.0 or later.

Changelog

• Update go.opentelemetry.io/otel dependency to remediate
  • GHSA-mh2q-q3fh-2475
• Update golang to remediate
  • CVE-2026-27143
  • CVE-2026-27144
  • CVE-2026-32289
  • CVE-2026-32288
  • CVE-2026-32283
  • CVE-2026-32282
  • CVE-2026-32281
  • CVE-2026-32280
  • CVE-2026-27140
• Update github.com/moby/spdystream dependency to remediate
  • GHSA-pc3f-x583-g7j2
• Update musl-utils dependency to remediate
  • CVE-2026-6042
  • CVE-2026-40200
• Update libcap2 dependency to remediate
  • CVE-2026-4878
• Update helm.sh/helm/v3 dependency to remediate
  • GHSA-hr2v-4r36-88hr
• Update libssl3 dependency to remediate
  • CVE-2026-2673
  • CVE-2026-31790
  • CVE-2026-31789
  • CVE-2026-28390
  • CVE-2026-28389
  • CVE-2026-28388
  • CVE-2026-28387
• Update libc dependency to remediate
  • CVE-2025-15281
  • CVE-2026-0861
  • CVE-2026-0915
  • CVE-2026-4046
  • CVE-2026-4437
  • CVE-2026-4438