CRI-O v1.36.0
The release notes have been generated for the commit range
v1.35.0…ea80b28 on Sat, 02 May 2026 00:27:55 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
The OpenVEX report for this release is available at:
The SLSA provenance attestation for this release is available at:
All release artifacts (bundles, SBOMs, VEX, and provenance) are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:ea80b283314eacb19271008770d634b41d72bb27.
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.ea80b283314eacb19271008770d634b41d72bb27.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.amd64.ea80b283314eacb19271008770d634b41d72bb27.tar.gz.bundle
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.ea80b283314eacb19271008770d634b41d72bb27.tar.gz
> bom validate -e cri-o.amd64.ea80b283314eacb19271008770d634b41d72bb27.tar.gz.spdx -d cri-o
To verify the OpenVEX vulnerability report, run:
> cosign verify-blob cri-o.ea80b283314eacb19271008770d634b41d72bb27.openvex.json \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.ea80b283314eacb19271008770d634b41d72bb27.openvex.json.bundle
To verify the SLSA provenance attestation, run:
> cosign verify-blob cri-o.ea80b283314eacb19271008770d634b41d72bb27.provenance.json \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.ea80b283314eacb19271008770d634b41d72bb27.provenance.json.bundle
Changelog since v1.35.0
Changes by Kind
Dependency-Change
- Fix CVE-2026-35469 by updating spdystream dependency (#9880, @haircommander)
Other
- Nri: pass any container POSIX rlimits to NRI plugins as input. (#9707, @klihub)
- Nri: pass any container user ID/group ID information to NRI plugins as input (#9708, @klihub)
- Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#9706, @klihub)
Feature
- Add OpenVEX vulnerability report generation for releases (#9767, @saschagrunert)
- Add
container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9870, @haircommander)
- Added
tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#9723, @asahay19)
- Added support for configuring additional read-only artifact stores via the
additional_artifact_stores configuration option. (#9702, @pauloappbr)
- Implement
StreamContainers, StreamContainerStats, StreamPodSandboxes, StreamPodSandboxStats, StreamPodSandboxMetrics, StreamImages (#9761, @bitoku)
Bug or Regression
- Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#9803, @jnovy)
- Fixed UpdateContainerResources to apply cgroupv2 unified settings (#9820, @PannagaRao)
- Fixed a bug where CRI-O didn’t return all metrics when “all” is set. (#9719, @bitoku)
- Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9799, @sabujmaity)
- Fixed a regression in v1.35.0 where systemd containers with
hostUsers: false (user namespaces enabled) would fail with “Permission denied” errors when systemd attempted to create cgroups. (#9712, @saschagrunert)
- Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9782, @bitoku)
- Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9846, @bitoku)
- PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9728, @saschagrunert)
- Respect the same pinned_images configuration used by regular container images (#9836, @bitoku)
Other (Cleanup or Flake)
- Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#9778, @bitoku)
Uncategorized
- Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9860, @harche)
- CRI-O now continuously monitors CNI plugin health using the STATUS
verb. If a plugin becomes unhealthy after initial readiness, the node
is reported as NetworkReady=false, preventing pod scheduling on
affected nodes. The node self-heals when the plugin recovers. (#9855, @tsorya)
Dependencies
Added
- cyphar.com/go-pathrs: v0.2.1
- github.com/checkpoint-restore/go-criu/v8: v8.2.0
- github.com/clipperhouse/displaywidth: v0.6.0
- github.com/clipperhouse/stringish: v0.1.1
- github.com/clipperhouse/uax29/v2: v2.3.0
- github.com/mistifyio/go-zfs/v4: v4.0.0
- github.com/olekukonko/cat: 50322a0
- k8s.io/streaming: v0.36.0-beta.0
Changed
- capnproto.org/go/capnp/v3: v3.1.0-alpha.1 → v3.1.0-alpha.2
- cel.dev/expr: v0.24.0 → v0.25.1
- github.com/BurntSushi/toml: v1.5.0 → v1.6.0
- github.com/avast/retry-go/v4: v4.6.1 → v4.7.0
- github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
- github.com/cncf/xds/go: 0feb691 → ee656c7
- github.com/containerd/console: v1.0.4 → v1.0.5
- github.com/containerd/containerd: v1.7.29 → v1.7.30
- github.com/containerd/stargz-snapshotter/estargz: v0.17.0 → v0.18.2
- github.com/containers/conmon-rs: 737e4d6 → v0.7.3
- github.com/coreos/go-systemd/v22: v22.6.0 → v22.7.0
- github.com/cyphar/filepath-securejoin: v0.4.1 → v0.6.1
- github.com/docker/cli: v28.5.1+incompatible → v29.1.5+incompatible
- github.com/docker/docker-credential-helpers: v0.9.4 → v0.9.5
- github.com/docker/docker: v28.5.1+incompatible → v28.5.2+incompatible
- github.com/emicklei/go-restful/v3: v3.12.2 → v3.13.0
- github.com/envoyproxy/go-control-plane/envoy: v1.35.0 → v1.36.0
- github.com/envoyproxy/go-control-plane: 75eaa19 → v0.14.0
- github.com/envoyproxy/protoc-gen-validate: v1.2.1 → v1.3.0
- github.com/go-chi/chi/v5: v5.2.3 → v5.2.5
- github.com/godbus/dbus/v5: v5.2.0 → v5.2.2
- github.com/google/go-containerregistry: v0.20.6 → v0.20.7
- github.com/google/pprof: f64d9cf → 294ebfa
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.3 → v2.28.0
- github.com/klauspost/compress: v1.18.0 → v1.18.3
- github.com/mattn/go-runewidth: v0.0.16 → v0.0.19
- github.com/mattn/go-sqlite3: v1.14.32 → v1.14.33
- github.com/maxbrunsfeld/counterfeiter/v6: v6.12.0 → v6.12.1
- github.com/moby/spdystream: v0.5.0 → v0.5.1
- github.com/olekukonko/ll: v0.0.9 → v0.1.3
- github.com/olekukonko/tablewriter: v1.1.0 → v1.1.2
- github.com/onsi/ginkgo/v2: v2.27.3 → v2.28.1
- github.com/onsi/gomega: v1.38.3 → v1.39.1
- github.com/opencontainers/runc: v1.3.2 → v1.4.0
- github.com/opencontainers/runtime-tools: edf4cb3 → 5e63903
- github.com/opencontainers/selinux: v1.12.0 → v1.13.1
- github.com/pkg/sftp: v1.13.9 → v1.13.10
- github.com/proglottis/gpgme: v0.1.5 → v0.1.6
- github.com/prometheus/common: v0.67.4 → v0.67.5
- github.com/prometheus/procfs: v0.17.0 → v0.19.2
- github.com/secure-systems-lab/go-securesystemslib: v0.9.1 → v0.10.0
- github.com/sergi/go-diff: 5b0b94c → v1.4.0
- github.com/sigstore/sigstore: v1.10.0 → v1.10.3
- github.com/sirupsen/logrus: v1.9.3 → v1.9.4
- github.com/urfave/cli: v1.22.16 → v1.22.17
- github.com/vbauerster/mpb/v8: v8.10.2 → v8.11.3
- go.opentelemetry.io/contrib/detectors/gcp: v1.38.0 → v1.39.0
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.64.0 → v0.66.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.63.0 → v0.65.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/metric: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/sdk/metric: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/sdk: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/trace: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel: v1.39.0 → v1.41.0
- go.podman.io/common: v0.66.1 → 1e46b07
- go.podman.io/storage: v1.61.0 → b0f86df
- golang.org/x/crypto: v0.46.0 → v0.48.0
- golang.org/x/mod: v0.30.0 → v0.32.0
- golang.org/x/net: v0.48.0 → v0.51.0
- golang.org/x/oauth2: v0.33.0 → v0.35.0
- golang.org/x/sys: v0.39.0 → v0.41.0
- golang.org/x/telemetry: bc8e575 → bd525da
- golang.org/x/term: v0.38.0 → v0.40.0
- golang.org/x/text: v0.32.0 → v0.34.0
- golang.org/x/tools: v0.39.0 → v0.41.0
- google.golang.org/genproto/googleapis/api: ff82c1b → 4cfbd41
- google.golang.org/genproto/googleapis/rpc: ff82c1b → 4cfbd41
- google.golang.org/grpc: v1.77.0 → v1.79.3
- google.golang.org/protobuf: v1.36.10 → f2248ac
- k8s.io/api: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/apimachinery: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/apiserver: v0.35.0-rc.0 → v0.35.1
- k8s.io/client-go: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/component-base: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/cri-api: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/cri-client: v0.35.0-rc.0 → v0.36.0-beta.0
- k8s.io/klog/v2: v2.130.1 → v2.140.0
- k8s.io/kms: v0.35.0-rc.0 → v0.35.1
- k8s.io/kube-openapi: 589584f → 43fb72c
- k8s.io/kubelet: v0.35.0-rc.0 → v0.35.1
- k8s.io/utils: bc988d5 → b8788ab
- sigs.k8s.io/knftables: v0.0.19 → v0.0.20
- sigs.k8s.io/release-utils: v0.12.2 → v0.12.3
- sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2
Removed
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/gregjones/httpcache: 901d907
- github.com/klauspost/cpuid/v2: v2.0.4
- github.com/minio/sha256-simd: v1.0.0