Linkerd 2.14 reached its end of life on June 1, 2025, and we strongly recommend that you upgrade.

Linkerd 2.14 was first released in August 2023 and its final point release (2.14.10) shipped in February 2024. Since then, we’ve shipped 5 new major versions of Linkerd, and the 2.14 release has received no further bugfixes and no CVE remediation. It has 18 known CVEs of medium or higher severity (the full list is below), so relying on it to secure your communications is not recommended. There are also many new features available in newer Linkerd versions.

We strongly recommend upgrading to Buoyant Enterprise for Linkerd 2.19 rather than continuing to run Linkerd 2.14. If that’s not an option, running Linkerd edge releases is also a possibility.

Buoyant Enterprise for Linkerd

Buoyant Enterprise for Linkerd (BEL) is the enterprise distribution of Linkerd from Buoyant. It gives you stable releases, CVE SLAs, lifecycle automation, extra testing and hardening, and extra features (like HAZL, FIPs, Buoyant Cloud, our new dashboard, and Windows support). It’s the version that we at Buoyant run for our own production infrastructure.

Supported BEL releases regularly receive patches with backported fixes for bugs and CVEs, ensuring that fixes are available without other unrelated changes that might affect production installations.

Edge releases

Edge releases are produced by the open-source Linkerd project. They are tested for production use, as they are a critical part of how the project gets feedback from the community about what works and what doesn’t.

Edge releases never receive backported bugfixes: instead, fixes for bugs and CVEs are delivered as part of a newer edge release, which may have other unrelated changes such as new features.

Please act now

We at Buoyant will be delighted to help you switch to BEL, or if you decide to go the edge release route, there's a great community on the Linkerd Slack to answer any questions. Whichever route you choose, it is important to understand that Linkerd 2.14 has reached its end of life: it is no longer maintained nor supported, and we strongly recommend upgrading.

Known high and medium CVEs in Linkerd 2.14

These are all fixed in Linkerd 2.18 and 2.19, which are both under active support, and they’re also fixed in our most recent edge releases (for example, edge-25.12.1).

• CVE-2025-22874 (High): Go crypto/x509: ExtKeyUsageAny could disable policy validation when policy graphs are present.
• CVE-2025-4674 (High): Go cmd/go: may execute unexpected commands in untrusted VCS repos with mixed metadata.
• CVE-2025-47907 (High): Go database/sql: canceling a query in parallel can corrupt results or cause errors.
• CVE-2025-53547 (High): Helm: crafted chart + symlinked Chart.lock → local code execution; fixed in Helm ≥ 3.18.4.
• CVE-2025-22868 (High): Go x/oauth2: malformed token → excessive memory use.
• CVE-2025-43915 (Medium): Linkerd proxy metrics cardinality can cause memory growth / overload.
• CVE-2023-4039 (Medium): GCC AArch64 stack protector may miss overflows.
• CVE-2024-13176 (Medium): OpenSSL ECDSA timing leak of private keys.
• CVE-2025-0913 (Medium): Go os.OpenFile: Windows symlink handling with O_CREATE
• CVE-2025-4673 (Medium): Go HTTP: proxy auth headers may leak across cross-origin redirects.
• CVE-2025-55199 (Medium): Helm: schema $ref to /dev/zero → OOM; fixed in 3.18.5.
• CVE-2025-55198 (Medium): Helm: improper type validation in Chart.yaml → panic; fixed in 3.18.5.
• CVE-2025-4432 (Medium): Rust ring AES could panic; QUIC packets may trigger; fixed in 0.17.13.
• CVE-2024-12224 (Medium): Rust idna/url: punycode hostname confusion.
• GHSA-rpmj-rpgj-qmpm (Medium): Rust-OpenSSL: ssl::select_next_proto use-after-free; fixed in openssl crate 0.10.70.
• GHSA-4fcv-w3qc-ppgg (Medium): Rust-OpenSSL UAF in Md::fetch/Cipher::fetch; fixed in openssl crate 0.10.72.
• GHSA-r24f-hg58-vfrw (Medium): Rust unsafe-libyaml: unaligned writes on 32/16-bit; fixed in 0.2.10.
• GHSA-rjhf-4mh8-9xjq (Medium): Rust zerocopy: unsound Ref methods; alias of GHSA-3mv5-343c-w2qg.

‍