CRI-O v1.36.0
The release notes have been generated for the commit range
v1.35.0…8273bca on Wed, 18 Mar 2026 00:16:52 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
The OpenVEX report for this release is available at:
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.8273bca378a36dd225fcaf90b6b732cc4c6d4248.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.amd64.8273bca378a36dd225fcaf90b6b732cc4c6d4248.tar.gz.bundle
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.8273bca378a36dd225fcaf90b6b732cc4c6d4248.tar.gz
> bom validate -e cri-o.amd64.8273bca378a36dd225fcaf90b6b732cc4c6d4248.tar.gz.spdx -d cri-o
To verify the OpenVEX vulnerability report, run:
> cosign verify-blob cri-o.8273bca378a36dd225fcaf90b6b732cc4c6d4248.openvex.json \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--bundle cri-o.8273bca378a36dd225fcaf90b6b732cc4c6d4248.openvex.json.bundle
Changelog since v1.35.0
Changes by Kind
Other
- Nri: pass any container POSIX rlimits to NRI plugins as input. (#9707, @klihub)
- Nri: pass any container user ID/group ID information to NRI plugins as input (#9708, @klihub)
- Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#9706, @klihub)
Feature
- Add OpenVEX vulnerability report generation for releases (#9767, @saschagrunert)
- Added
tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#9723, @asahay19)
Bug or Regression
- Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#9803, @jnovy)
- Fixed a bug where CRI-O didn’t return all metrics when “all” is set. (#9719, @bitoku)
- Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9799, @sabujmaity)
- Fixed a regression in v1.35.0 where systemd containers with
hostUsers: false (user namespaces enabled) would fail with “Permission denied” errors when systemd attempted to create cgroups. (#9712, @saschagrunert)
- Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9782, @bitoku)
- PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9728, @saschagrunert)
Other (Cleanup or Flake)
- Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#9778, @bitoku)
Dependencies
Added
- cyphar.com/go-pathrs: v0.2.1
- github.com/checkpoint-restore/go-criu/v8: v8.2.0
- github.com/clipperhouse/displaywidth: v0.6.0
- github.com/clipperhouse/stringish: v0.1.1
- github.com/clipperhouse/uax29/v2: v2.3.0
- github.com/mistifyio/go-zfs/v4: v4.0.0
- github.com/olekukonko/cat: 50322a0
Changed
- capnproto.org/go/capnp/v3: v3.1.0-alpha.1 → v3.1.0-alpha.2
- cel.dev/expr: v0.24.0 → v0.25.1
- github.com/BurntSushi/toml: v1.5.0 → v1.6.0
- github.com/avast/retry-go/v4: v4.6.1 → v4.7.0
- github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
- github.com/cncf/xds/go: 0feb691 → ee656c7
- github.com/containerd/console: v1.0.4 → v1.0.5
- github.com/containerd/containerd: v1.7.29 → v1.7.30
- github.com/containerd/stargz-snapshotter/estargz: v0.17.0 → v0.18.2
- github.com/containers/conmon-rs: 737e4d6 → v0.7.3
- github.com/coreos/go-systemd/v22: v22.6.0 → v22.7.0
- github.com/cyphar/filepath-securejoin: v0.4.1 → v0.6.1
- github.com/docker/cli: v28.5.1+incompatible → v29.1.5+incompatible
- github.com/docker/docker-credential-helpers: v0.9.4 → v0.9.5
- github.com/docker/docker: v28.5.1+incompatible → v28.5.2+incompatible
- github.com/envoyproxy/go-control-plane/envoy: v1.35.0 → v1.36.0
- github.com/envoyproxy/go-control-plane: 75eaa19 → v0.14.0
- github.com/envoyproxy/protoc-gen-validate: v1.2.1 → v1.3.0
- github.com/go-chi/chi/v5: v5.2.3 → v5.2.5
- github.com/godbus/dbus/v5: v5.2.0 → v5.2.2
- github.com/google/go-containerregistry: v0.20.6 → v0.20.7
- github.com/google/pprof: f64d9cf → 294ebfa
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.3 → v2.28.0
- github.com/klauspost/compress: v1.18.0 → v1.18.3
- github.com/mattn/go-runewidth: v0.0.16 → v0.0.19
- github.com/mattn/go-sqlite3: v1.14.32 → v1.14.33
- github.com/maxbrunsfeld/counterfeiter/v6: v6.12.0 → v6.12.1
- github.com/olekukonko/ll: v0.0.9 → v0.1.3
- github.com/olekukonko/tablewriter: v1.1.0 → v1.1.2
- github.com/onsi/ginkgo/v2: v2.27.3 → v2.28.1
- github.com/onsi/gomega: v1.38.3 → v1.39.1
- github.com/opencontainers/runc: v1.3.2 → v1.4.0
- github.com/opencontainers/runtime-tools: edf4cb3 → 5e63903
- github.com/opencontainers/selinux: v1.12.0 → v1.13.1
- github.com/pkg/sftp: v1.13.9 → v1.13.10
- github.com/proglottis/gpgme: v0.1.5 → v0.1.6
- github.com/prometheus/common: v0.67.4 → v0.67.5
- github.com/secure-systems-lab/go-securesystemslib: v0.9.1 → v0.10.0
- github.com/sergi/go-diff: 5b0b94c → v1.4.0
- github.com/sigstore/sigstore: v1.10.0 → v1.10.3
- github.com/sirupsen/logrus: v1.9.3 → v1.9.4
- github.com/urfave/cli: v1.22.16 → v1.22.17
- github.com/vbauerster/mpb/v8: v8.10.2 → v8.11.3
- go.opentelemetry.io/contrib/detectors/gcp: v1.38.0 → v1.39.0
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.64.0 → v0.66.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/metric: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/sdk/metric: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/sdk: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel/trace: v1.39.0 → v1.41.0
- go.opentelemetry.io/otel: v1.39.0 → v1.41.0
- go.podman.io/common: v0.66.1 → 1e46b07
- go.podman.io/storage: v1.61.0 → b0f86df
- golang.org/x/crypto: v0.46.0 → v0.48.0
- golang.org/x/mod: v0.30.0 → v0.32.0
- golang.org/x/net: v0.48.0 → v0.51.0
- golang.org/x/oauth2: v0.33.0 → v0.35.0
- golang.org/x/sys: v0.39.0 → v0.41.0
- golang.org/x/telemetry: bc8e575 → bd525da
- golang.org/x/term: v0.38.0 → v0.40.0
- golang.org/x/text: v0.32.0 → v0.34.0
- golang.org/x/tools: v0.39.0 → v0.41.0
- google.golang.org/genproto/googleapis/api: ff82c1b → 4cfbd41
- google.golang.org/genproto/googleapis/rpc: ff82c1b → 4cfbd41
- google.golang.org/grpc: v1.77.0 → v1.79.1
- google.golang.org/protobuf: v1.36.10 → v1.36.11
- k8s.io/api: v0.35.0-rc.0 → v0.35.2
- k8s.io/apimachinery: v0.35.0-rc.0 → v0.35.2
- k8s.io/apiserver: v0.35.0-rc.0 → v0.35.1
- k8s.io/client-go: v0.35.0-rc.0 → v0.35.2
- k8s.io/component-base: v0.35.0-rc.0 → v0.35.2
- k8s.io/cri-api: v0.35.0-rc.0 → v0.35.1
- k8s.io/cri-client: v0.35.0-rc.0 → v0.35.1
- k8s.io/kms: v0.35.0-rc.0 → v0.35.1
- k8s.io/kubelet: v0.35.0-rc.0 → v0.35.1
- k8s.io/utils: bc988d5 → b8788ab
- sigs.k8s.io/knftables: v0.0.19 → v0.0.20
- sigs.k8s.io/release-utils: v0.12.2 → v0.12.3
Removed
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/klauspost/cpuid/v2: v2.0.4
- github.com/minio/sha256-simd: v1.0.0