• Golang upgrade to 1.26.4 for CVE fixes.
• Fixes for ACCESS_TOKEN_EXPIRED error caused by slow networks/clock drifts.
• Fixes for gRPC checksum mismatch error.

Dependency Upgrades / CVE fixes

• Upgraded Golang to version 1.26.3 and updated several Go dependencies, including the OpenTelemetry Go SDK and go-jose, to remediate security vulnerabilities (CVE-2026-34986, CVE-2026-42499, CVE-2026-39883, CVE-2026-29181, and CVE-2026-33814).

Dependency Upgrades / CVE fixes

Upgraded Golang to version 1.26.3 and updated several Go dependencies, including google.golang.org/grpc, golang.org/x/crypto, and golang.org/x/oauth2, to remediate security vulnerabilities (CVE-2026-33186, CVE-2024-45337, CVE-2026-27143, CVE-2025-68121, CVE-2025-22871, CVE-2026-32283, CVE-2025-61725, and CVE-2025-22868).

Dependency Upgrades / CVE fixes

• Upgraded Golang to version 1.26.3 and updated several Go dependencies, including the OpenTelemetry Go SDK and gRPC, to remediate security vulnerabilities (CVE-2026-33186, CVE-2026-24051, CVE-2026-29181, CVE-2026-39883, and CVE-2026-34986).

Bug fixes & Improvements

• update cloud.google.com/go/storage to version 1.61.4 to make retries more robust PR#4713

Bug fixes & Improvements

• Fixed memory leak in buffered reader during multi-block read PR#4638
• Improved direct patch enforcement strategy for gRPC client PR#4635

Dependency Upgrades / CVE fixes

• Upgraded Golang from 1.26.1 to 1.26.2 to include latest security patches and performance improvements.
• go-gRPC patch release upgrade from 1.79.2 to 1.79.3 to include latest security patches.

Consistent symlink handling across GCS clients

GCSFuse now represents symbolic links the same way as Storage Transfer Service (STS) and other GCS clients(like gcloud storage CLI etc). This feature makes it easier for customers to transfer data via GCSFuse to and from GCS without worrying about symbolic link compatibility issues across GCS clients. This is enabled by default.
GCSfuse will now represent the symbolic links as finite-sized objects where the content is the target path, identified by the reserved metadata goog-reserved-file-is-symlink: true. This new feature is compatible with old representation of symbolic links used by prior versions of GCSFuse.

Bug fixes & Improvements

• Enhanced resiliency of the writes(that includes checkpoint write) by increasing the retry deadline to a higher value(120s instead of 32s) PR#4473.
• Fixed a bug in the requester pays feature to ensure the billing project correctly propagates for ListObject requests in gRPC protocol, eliminating the "no user project provided" error PR#4611
• File Cache now adheres to the physical space utilization of files on the storage media rather than logical size PR#4514
• Fixed memory leak in buffered reader during multi-block read PR#4638
• Improved direct patch enforcement strategy for gRPC client PR#4635

Bugs Fixed

Premature EOF on kernels with large page-sizes
Aggressive kernel read-ahead on ARM64 architectures with large page-sizes previously caused premature-EOFs on reads. This release provides a critical stability fix for GCSFuse on ARM64 architectures configured with large page sizes (e.g. Google Cloud A4X and A4X Max instances with 64 KiB memory pages).

Built on top of version 3.6.0 with the following bug fixed

Premature EOF on kernels with large page-sizes
Aggressive kernel read-ahead on ARM64 architectures with large page-sizes previously caused premature-EOFs on reads. This release provides a critical stability fix for GCSFuse on ARM64 architectures configured with large page sizes (e.g. Google Cloud A4X and A4X Max instances with 64 KiB memory pages).