diff --git a/projects/envoy/build.sh b/projects/envoy/build.sh
index 2bab3474558c..5792bdcb5711 100755
--- a/projects/envoy/build.sh
+++ b/projects/envoy/build.sh
@@ -27,7 +27,7 @@ FUZZER_DICTIONARIES="\
 
 # Skip gperftools, ASAN runs don't use tcmalloc.
 export DISABLE_GPERFTOOLS_BUILD=1
-sed -i 's#envoy_dependencies()#envoy_dependencies(skip_targets=["tcmalloc_and_profiler"])#' WORKSPACE
+sed -i 's#envoy_dependencies()#envoy_dependencies(skip_targets=["tcmalloc_and_profiler","tcmalloc_debug"])#' WORKSPACE
 
 # Copy $CFLAGS and $CXXFLAGS into Bazel command-line flags, for both
 # compilation and linking.
@@ -35,12 +35,17 @@ sed -i 's#envoy_dependencies()#envoy_dependencies(skip_targets=["tcmalloc_and_pr
 # Some flags, such as `-stdlib=libc++`, generate warnings if used on a C source
 # file. Since the build runs with `-Werror` this will cause it to break, so we
 # use `--conlyopt` and `--cxxopt` instead of `--copt`.
+#
+# While we shouldn't need to set --host_linkopt, it turns out that some builds
+# with host toolchains, e.g. protobuf, pickup the fact that we're doing ASAN for
+# the target when building libraries but don't cleanly handle the host link for
+# build tools (protoc). It seems somewhat harmless to be building protoc ASAN.
 declare -r EXTRA_BAZEL_FLAGS="$(
 for f in ${CFLAGS}; do
-  echo "--conlyopt=${f}" "--linkopt=${f}"
+  echo "--conlyopt=${f}" "--linkopt=${f}" "--host_linkopt=${f}"
 done
 for f in ${CXXFLAGS}; do
-  echo "--cxxopt=${f}" "--linkopt=${f}"
+  echo "--cxxopt=${f}" "--linkopt=${f}" "--host_linkopt=${f}"
 done
 )"
 
@@ -68,7 +73,6 @@ bazel build --verbose_failures --dynamic_mode=off --spawn_strategy=standalone \
   --define force_libcpp=enabled \
   --build_tag_filters=-no_asan \
   ${EXTRA_BAZEL_FLAGS} \
-  --linkopt="-lFuzzingEngine" \
   ${BAZEL_BUILD_TARGETS[*]} ${BAZEL_CORPUS_TARGETS[*]}
 
 # Profiling with coverage requires that we resolve+copy all Bazel symlinks and