• CRI-O v1.36.1
  • Downloads
  • Changelog since v1.36.0
    • Changes by Kind
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.36.1

The release notes have been generated for the commit range
v1.36.0...v1.36.1 on Wed, 03 Jun 2026 01:06:59 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.36.1.tar.gz
  • cri-o.amd64.v1.36.1.tar.gz.sha256sum
  • cri-o.amd64.v1.36.1.tar.gz.bundle
  • cri-o.amd64.v1.36.1.tar.gz.spdx
  • cri-o.amd64.v1.36.1.tar.gz.spdx.bundle
• cri-o.arm64.v1.36.1.tar.gz
  • cri-o.arm64.v1.36.1.tar.gz.sha256sum
  • cri-o.arm64.v1.36.1.tar.gz.bundle
  • cri-o.arm64.v1.36.1.tar.gz.spdx
  • cri-o.arm64.v1.36.1.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.36.1.tar.gz
  • cri-o.ppc64le.v1.36.1.tar.gz.sha256sum
  • cri-o.ppc64le.v1.36.1.tar.gz.bundle
  • cri-o.ppc64le.v1.36.1.tar.gz.spdx
  • cri-o.ppc64le.v1.36.1.tar.gz.spdx.bundle
• cri-o.s390x.v1.36.1.tar.gz
  • cri-o.s390x.v1.36.1.tar.gz.sha256sum
  • cri-o.s390x.v1.36.1.tar.gz.bundle
  • cri-o.s390x.v1.36.1.tar.gz.spdx
  • cri-o.s390x.v1.36.1.tar.gz.spdx.bundle

The OpenVEX report for this release is available at:

• cri-o.v1.36.1.openvex.json

The SLSA provenance attestation for this release is available at:

• cri-o.v1.36.1.provenance.json
  • cri-o.v1.36.1.provenance.json.bundle

All release artifacts (bundles, SBOMs, VEX, and provenance) are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:v1.36.1.

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.36.1.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.36.1.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.36.1.tar.gz
> bom validate -e cri-o.amd64.v1.36.1.tar.gz.spdx -d cri-o

To verify the OpenVEX vulnerability report, run:

> cosign verify-blob cri-o.v1.36.1.openvex.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.1.openvex.json.bundle

To verify the SLSA provenance attestation, run:

> cosign verify-blob cri-o.v1.36.1.provenance.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.1.provenance.json.bundle

Changelog since v1.36.0

Changes by Kind

Uncategorized

• Fixed a bug where ImageRef in container status changed from a repo@digest to a raw image ID hash after CRI-O restart. (#9984, @openshift-cherrypick-robot)
• Reduced the verbosity of debug logs for List* RPC calls to improve performance (#9951, @openshift-cherrypick-robot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

• CRI-O v1.35.4
  • Downloads
  • Changelog since v1.35.3
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.35.4

The release notes have been generated for the commit range
v1.35.3...v1.35.4 on Wed, 03 Jun 2026 01:06:57 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.35.4.tar.gz
  • cri-o.amd64.v1.35.4.tar.gz.sha256sum
  • cri-o.amd64.v1.35.4.tar.gz.bundle
  • cri-o.amd64.v1.35.4.tar.gz.spdx
  • cri-o.amd64.v1.35.4.tar.gz.spdx.bundle
• cri-o.arm64.v1.35.4.tar.gz
  • cri-o.arm64.v1.35.4.tar.gz.sha256sum
  • cri-o.arm64.v1.35.4.tar.gz.bundle
  • cri-o.arm64.v1.35.4.tar.gz.spdx
  • cri-o.arm64.v1.35.4.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.35.4.tar.gz
  • cri-o.ppc64le.v1.35.4.tar.gz.sha256sum
  • cri-o.ppc64le.v1.35.4.tar.gz.bundle
  • cri-o.ppc64le.v1.35.4.tar.gz.spdx
  • cri-o.ppc64le.v1.35.4.tar.gz.spdx.bundle
• cri-o.s390x.v1.35.4.tar.gz
  • cri-o.s390x.v1.35.4.tar.gz.sha256sum
  • cri-o.s390x.v1.35.4.tar.gz.bundle
  • cri-o.s390x.v1.35.4.tar.gz.spdx
  • cri-o.s390x.v1.35.4.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.4.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.35.4.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.35.4.tar.gz
> bom validate -e cri-o.amd64.v1.35.4.tar.gz.spdx -d cri-o

Changelog since v1.35.3

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

• CRI-O v1.34.9
  • Downloads
  • Changelog since v1.34.8
    • Changes by Kind
      • Bug or Regression
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.34.9

The release notes have been generated for the commit range
v1.34.8...v1.34.9 on Wed, 03 Jun 2026 01:06:54 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.34.9.tar.gz
  • cri-o.amd64.v1.34.9.tar.gz.sha256sum
  • cri-o.amd64.v1.34.9.tar.gz.bundle
  • cri-o.amd64.v1.34.9.tar.gz.spdx
  • cri-o.amd64.v1.34.9.tar.gz.spdx.bundle
• cri-o.arm64.v1.34.9.tar.gz
  • cri-o.arm64.v1.34.9.tar.gz.sha256sum
  • cri-o.arm64.v1.34.9.tar.gz.bundle
  • cri-o.arm64.v1.34.9.tar.gz.spdx
  • cri-o.arm64.v1.34.9.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.34.9.tar.gz
  • cri-o.ppc64le.v1.34.9.tar.gz.sha256sum
  • cri-o.ppc64le.v1.34.9.tar.gz.bundle
  • cri-o.ppc64le.v1.34.9.tar.gz.spdx
  • cri-o.ppc64le.v1.34.9.tar.gz.spdx.bundle
• cri-o.s390x.v1.34.9.tar.gz
  • cri-o.s390x.v1.34.9.tar.gz.sha256sum
  • cri-o.s390x.v1.34.9.tar.gz.bundle
  • cri-o.s390x.v1.34.9.tar.gz.spdx
  • cri-o.s390x.v1.34.9.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.9.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.34.9.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.34.9.tar.gz
> bom validate -e cri-o.amd64.v1.34.9.tar.gz.spdx -d cri-o

Changelog since v1.34.8

Changes by Kind

Bug or Regression

• Fix a panic caused by concurrent StopContainer calls racing to send on an already-closed channel. (#9920, @sabujmaity)

Uncategorized

• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9879, @openshift-cherrypick-robot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

• CRI-O v1.33.13
  • Downloads
  • Changelog since v1.33.12
    • Changes by Kind
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.33.13

The release notes have been generated for the commit range
v1.33.12...v1.33.13 on Wed, 03 Jun 2026 01:06:51 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.33.13.tar.gz
  • cri-o.amd64.v1.33.13.tar.gz.sha256sum
  • cri-o.amd64.v1.33.13.tar.gz.bundle
  • cri-o.amd64.v1.33.13.tar.gz.spdx
  • cri-o.amd64.v1.33.13.tar.gz.spdx.bundle
• cri-o.arm64.v1.33.13.tar.gz
  • cri-o.arm64.v1.33.13.tar.gz.sha256sum
  • cri-o.arm64.v1.33.13.tar.gz.bundle
  • cri-o.arm64.v1.33.13.tar.gz.spdx
  • cri-o.arm64.v1.33.13.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.33.13.tar.gz
  • cri-o.ppc64le.v1.33.13.tar.gz.sha256sum
  • cri-o.ppc64le.v1.33.13.tar.gz.bundle
  • cri-o.ppc64le.v1.33.13.tar.gz.spdx
  • cri-o.ppc64le.v1.33.13.tar.gz.spdx.bundle
• cri-o.s390x.v1.33.13.tar.gz
  • cri-o.s390x.v1.33.13.tar.gz.sha256sum
  • cri-o.s390x.v1.33.13.tar.gz.bundle
  • cri-o.s390x.v1.33.13.tar.gz.spdx
  • cri-o.s390x.v1.33.13.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.13.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.33.13.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.33.13.tar.gz
> bom validate -e cri-o.amd64.v1.33.13.tar.gz.spdx -d cri-o

Changelog since v1.33.12

Changes by Kind

Uncategorized

• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9932, @openshift-cherrypick-robot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

• CRI-O v1.35.3
  • Downloads
  • Changelog since v1.35.2
    • Changes by Kind
      • Feature
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.35.3

The release notes have been generated for the commit range
v1.35.2...v1.35.3 on Tue, 05 May 2026 00:45:32 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.35.3.tar.gz
  • cri-o.amd64.v1.35.3.tar.gz.sha256sum
  • cri-o.amd64.v1.35.3.tar.gz.bundle
  • cri-o.amd64.v1.35.3.tar.gz.spdx
  • cri-o.amd64.v1.35.3.tar.gz.spdx.bundle
• cri-o.arm64.v1.35.3.tar.gz
  • cri-o.arm64.v1.35.3.tar.gz.sha256sum
  • cri-o.arm64.v1.35.3.tar.gz.bundle
  • cri-o.arm64.v1.35.3.tar.gz.spdx
  • cri-o.arm64.v1.35.3.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.35.3.tar.gz
  • cri-o.ppc64le.v1.35.3.tar.gz.sha256sum
  • cri-o.ppc64le.v1.35.3.tar.gz.bundle
  • cri-o.ppc64le.v1.35.3.tar.gz.spdx
  • cri-o.ppc64le.v1.35.3.tar.gz.spdx.bundle
• cri-o.s390x.v1.35.3.tar.gz
  • cri-o.s390x.v1.35.3.tar.gz.sha256sum
  • cri-o.s390x.v1.35.3.tar.gz.bundle
  • cri-o.s390x.v1.35.3.tar.gz.spdx
  • cri-o.s390x.v1.35.3.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.3.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.35.3.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.35.3.tar.gz
> bom validate -e cri-o.amd64.v1.35.3.tar.gz.spdx -d cri-o

Changelog since v1.35.2

Changes by Kind

Feature

• CRI-O now continuously monitors CNI plugin health using the STATUS
  verb. If a plugin becomes unhealthy after initial readiness, the node
  is reported as NetworkReady=false, preventing pod scheduling on
  affected nodes. The node self-heals when the plugin recovers. (#9903, @haircommander)

Uncategorized

• Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9897, @openshift-cherrypick-robot)
• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9876, @openshift-cherrypick-robot)
• Fix CVE-2026-35469 by updating spdystream dependency (#9883, @openshift-cherrypick-robot)
• Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9814, @openshift-cherrypick-robot)
• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9871, @openshift-cherrypick-robot)
• Revert CRI-O CNI monitoring, as it has caused node bootstrapping regressions (#9908, @haircommander)

Dependencies

Added

Nothing has changed.

Changed

• github.com/moby/spdystream: v0.5.0 → v0.5.1

Removed

Nothing has changed.

• CRI-O v1.34.8
  • Downloads
  • Changelog since v1.34.7
    • Changes by Kind
      • Dependency-Change
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.34.8

The release notes have been generated for the commit range
v1.34.7...v1.34.8 on Tue, 05 May 2026 00:45:22 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.34.8.tar.gz
  • cri-o.amd64.v1.34.8.tar.gz.sha256sum
  • cri-o.amd64.v1.34.8.tar.gz.bundle
  • cri-o.amd64.v1.34.8.tar.gz.spdx
  • cri-o.amd64.v1.34.8.tar.gz.spdx.bundle
• cri-o.arm64.v1.34.8.tar.gz
  • cri-o.arm64.v1.34.8.tar.gz.sha256sum
  • cri-o.arm64.v1.34.8.tar.gz.bundle
  • cri-o.arm64.v1.34.8.tar.gz.spdx
  • cri-o.arm64.v1.34.8.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.34.8.tar.gz
  • cri-o.ppc64le.v1.34.8.tar.gz.sha256sum
  • cri-o.ppc64le.v1.34.8.tar.gz.bundle
  • cri-o.ppc64le.v1.34.8.tar.gz.spdx
  • cri-o.ppc64le.v1.34.8.tar.gz.spdx.bundle
• cri-o.s390x.v1.34.8.tar.gz
  • cri-o.s390x.v1.34.8.tar.gz.sha256sum
  • cri-o.s390x.v1.34.8.tar.gz.bundle
  • cri-o.s390x.v1.34.8.tar.gz.spdx
  • cri-o.s390x.v1.34.8.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.8.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.34.8.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.34.8.tar.gz
> bom validate -e cri-o.amd64.v1.34.8.tar.gz.spdx -d cri-o

Changelog since v1.34.7

Changes by Kind

Dependency-Change

• Fix CVE-2026-35469 by updating spdystream dependency (#9884, @haircommander)

Uncategorized

• Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9899, @openshift-cherrypick-robot)
• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9886, @haircommander)

Dependencies

Added

Nothing has changed.

Changed

• github.com/moby/spdystream: v0.5.0 → v0.5.1

Removed

Nothing has changed.

• CRI-O v1.33.12
  • Downloads
  • Changelog since v1.33.11
    • Changes by Kind
      • Dependency-Change
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.33.12

The release notes have been generated for the commit range
v1.33.11...v1.33.12 on Tue, 05 May 2026 00:45:31 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.33.12.tar.gz
  • cri-o.amd64.v1.33.12.tar.gz.sha256sum
  • cri-o.amd64.v1.33.12.tar.gz.bundle
  • cri-o.amd64.v1.33.12.tar.gz.spdx
  • cri-o.amd64.v1.33.12.tar.gz.spdx.bundle
• cri-o.arm64.v1.33.12.tar.gz
  • cri-o.arm64.v1.33.12.tar.gz.sha256sum
  • cri-o.arm64.v1.33.12.tar.gz.bundle
  • cri-o.arm64.v1.33.12.tar.gz.spdx
  • cri-o.arm64.v1.33.12.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.33.12.tar.gz
  • cri-o.ppc64le.v1.33.12.tar.gz.sha256sum
  • cri-o.ppc64le.v1.33.12.tar.gz.bundle
  • cri-o.ppc64le.v1.33.12.tar.gz.spdx
  • cri-o.ppc64le.v1.33.12.tar.gz.spdx.bundle
• cri-o.s390x.v1.33.12.tar.gz
  • cri-o.s390x.v1.33.12.tar.gz.sha256sum
  • cri-o.s390x.v1.33.12.tar.gz.bundle
  • cri-o.s390x.v1.33.12.tar.gz.spdx
  • cri-o.s390x.v1.33.12.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.33.12.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.33.12.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.33.12.tar.gz
> bom validate -e cri-o.amd64.v1.33.12.tar.gz.spdx -d cri-o

Changelog since v1.33.11

Changes by Kind

Dependency-Change

• Fix CVE-2026-35469 by updating spdystream dependency (#9888, @haircommander)

Uncategorized

• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9887, @haircommander)

Dependencies

Added

Nothing has changed.

Changed

• github.com/moby/spdystream: v0.5.0 → v0.5.1

Removed

Nothing has changed.

CRI-O v1.36.0

The release notes have been generated for the commit range
v1.35.0...v1.36.0 on Tue, 05 May 2026 18:27:19 UTC.

Downloads

Release Bundles

Download one of our static release bundles via our Google Cloud Bucket.
Each bundle includes a SHA-256 checksum, a cosign signature (.bundle), and a SPDX bill of materials (.spdx) with its own signature:

• cri-o.amd64.v1.36.0.tar.gz
  • cri-o.amd64.v1.36.0.tar.gz.sha256sum
  • cri-o.amd64.v1.36.0.tar.gz.bundle
  • cri-o.amd64.v1.36.0.tar.gz.spdx
  • cri-o.amd64.v1.36.0.tar.gz.spdx.bundle
• cri-o.arm64.v1.36.0.tar.gz
  • cri-o.arm64.v1.36.0.tar.gz.sha256sum
  • cri-o.arm64.v1.36.0.tar.gz.bundle
  • cri-o.arm64.v1.36.0.tar.gz.spdx
  • cri-o.arm64.v1.36.0.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.36.0.tar.gz
  • cri-o.ppc64le.v1.36.0.tar.gz.sha256sum
  • cri-o.ppc64le.v1.36.0.tar.gz.bundle
  • cri-o.ppc64le.v1.36.0.tar.gz.spdx
  • cri-o.ppc64le.v1.36.0.tar.gz.spdx.bundle
• cri-o.s390x.v1.36.0.tar.gz
  • cri-o.s390x.v1.36.0.tar.gz.sha256sum
  • cri-o.s390x.v1.36.0.tar.gz.bundle
  • cri-o.s390x.v1.36.0.tar.gz.spdx
  • cri-o.s390x.v1.36.0.tar.gz.spdx.bundle

Supply Chain Artifacts

The OpenVEX vulnerability report:

• cri-o.v1.36.0.openvex.json
  • cri-o.v1.36.0.openvex.json.bundle

The SLSA provenance attestation:

• cri-o.v1.36.0.provenance.json
  • cri-o.v1.36.0.provenance.json.bundle

OCI Distribution

All release artifacts are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:v1.36.0.

Verification

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.36.0.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.36.0.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.36.0.tar.gz
> bom validate -e cri-o.amd64.v1.36.0.tar.gz.spdx -d cri-o

To verify the OpenVEX vulnerability report, run:

> cosign verify-blob cri-o.v1.36.0.openvex.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.openvex.json.bundle

To verify the SLSA provenance attestation, run:

> cosign verify-blob cri-o.v1.36.0.provenance.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.provenance.json.bundle

Changelog since v1.35.0

Changes by Kind

Feature

• Add OpenVEX vulnerability report generation for releases (#9767, @saschagrunert)
• Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9870, @haircommander)
• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9860, @harche)
• Added tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#9723, @asahay19)
• Added support for configuring additional read-only artifact stores via the additional_artifact_stores configuration option. (#9702, @pauloappbr)
• CRI-O now continuously monitors CNI plugin health using the STATUS verb. If a plugin becomes unhealthy after initial readiness, the node is reported as NetworkReady=false, preventing pod scheduling on affected nodes. The node self-heals when the plugin recovers. (#9855, @tsorya)
• Implement StreamContainers, StreamContainerStats, StreamPodSandboxes, StreamPodSandboxStats, StreamPodSandboxMetrics, StreamImages (#9761, @bitoku)

Dependency-Change

• Fix CVE-2026-35469 by updating spdystream dependency (#9880, @haircommander)

Bug or Regression

• Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#9803, @jnovy)
• Fixed UpdateContainerResources to apply cgroupv2 unified settings (#9820, @PannagaRao)
• Fixed a bug where CRI-O didn't return all metrics when "all" is set. (#9719, @bitoku)
• Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9799, @sabujmaity)
• Fixed a regression in v1.35.0 where systemd containers with hostUsers: false (user namespaces enabled) would fail with "Permission denied" errors when systemd attempted to create cgroups. (#9712, @saschagrunert)
• Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9782, @bitoku)
• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9846, @bitoku)
• PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9728, @saschagrunert)
• Respect the same pinned_images configuration used by regular container images (#9836, @bitoku)

Other

• Nri: pass any container POSIX rlimits to NRI plugins as input. (#9707, @klihub)
• Nri: pass any container user ID/group ID information to NRI plugins as input (#9708, @klihub)
• Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#9706, @klihub)
• Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#9778, @bitoku)

Dependencies

Added

• cyphar.com/go-pathrs: v0.2.1
• github.com/checkpoint-restore/go-criu/v8: v8.2.0
• github.com/clipperhouse/displaywidth: v0.6.0
• github.com/clipperhouse/stringish: v0.1.1
• github.com/clipperhouse/uax29/v2: v2.3.0
• github.com/mistifyio/go-zfs/v4: v4.0.0
• github.com/olekukonko/cat: 50322a0
• k8s.io/cri-streaming: v0.36.0-rc.0
• k8s.io/streaming: v0.36.0-rc.0

Changed

• capnproto.org/go/capnp/v3: v3.1.0-alpha.1 → v3.1.0-alpha.2
• cel.dev/expr: v0.24.0 → v0.25.1
• github.com/BurntSushi/toml: v1.5.0 → v1.6.0
• github.com/avast/retry-go/v4: v4.6.1 → v4.7.0
• github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
• github.com/cncf/xds/go: 0feb691 → ee656c7
• github.com/containerd/console: [v1.0.4 → v1.0.5](https://github.com/c...

• CRI-O v1.35.2
  • Downloads
  • Changelog since v1.35.1
    • Changes by Kind
      • Bug or Regression
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.35.2

The release notes have been generated for the commit range
v1.35.1...v1.35.2 on Thu, 02 Apr 2026 00:35:01 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.35.2.tar.gz
  • cri-o.amd64.v1.35.2.tar.gz.sha256sum
  • cri-o.amd64.v1.35.2.tar.gz.bundle
  • cri-o.amd64.v1.35.2.tar.gz.spdx
  • cri-o.amd64.v1.35.2.tar.gz.spdx.bundle
• cri-o.arm64.v1.35.2.tar.gz
  • cri-o.arm64.v1.35.2.tar.gz.sha256sum
  • cri-o.arm64.v1.35.2.tar.gz.bundle
  • cri-o.arm64.v1.35.2.tar.gz.spdx
  • cri-o.arm64.v1.35.2.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.35.2.tar.gz
  • cri-o.ppc64le.v1.35.2.tar.gz.sha256sum
  • cri-o.ppc64le.v1.35.2.tar.gz.bundle
  • cri-o.ppc64le.v1.35.2.tar.gz.spdx
  • cri-o.ppc64le.v1.35.2.tar.gz.spdx.bundle
• cri-o.s390x.v1.35.2.tar.gz
  • cri-o.s390x.v1.35.2.tar.gz.sha256sum
  • cri-o.s390x.v1.35.2.tar.gz.bundle
  • cri-o.s390x.v1.35.2.tar.gz.spdx
  • cri-o.s390x.v1.35.2.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.2.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.35.2.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.35.2.tar.gz
> bom validate -e cri-o.amd64.v1.35.2.tar.gz.spdx -d cri-o

Changelog since v1.35.1

Changes by Kind

Bug or Regression

• PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9826, @haircommander)

Uncategorized

• Added support for configuring additional read-only artifact stores via the additional_artifact_stores configuration option. (#9829, @openshift-cherrypick-robot)
• Fixed a bug where CRI-O didn't return all metrics when "all" is set. (#9781, @openshift-cherrypick-robot)
• Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9788, @openshift-cherrypick-robot)
• Respect the same pinned_images configuration used by regular container images (#9838, @openshift-cherrypick-robot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

• CRI-O v1.34.7
  • Downloads
  • Changelog since v1.34.6
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.34.7

The release notes have been generated for the commit range
v1.34.6...v1.34.7 on Thu, 02 Apr 2026 00:34:58 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.34.7.tar.gz
  • cri-o.amd64.v1.34.7.tar.gz.sha256sum
  • cri-o.amd64.v1.34.7.tar.gz.bundle
  • cri-o.amd64.v1.34.7.tar.gz.spdx
  • cri-o.amd64.v1.34.7.tar.gz.spdx.bundle
• cri-o.arm64.v1.34.7.tar.gz
  • cri-o.arm64.v1.34.7.tar.gz.sha256sum
  • cri-o.arm64.v1.34.7.tar.gz.bundle
  • cri-o.arm64.v1.34.7.tar.gz.spdx
  • cri-o.arm64.v1.34.7.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.34.7.tar.gz
  • cri-o.ppc64le.v1.34.7.tar.gz.sha256sum
  • cri-o.ppc64le.v1.34.7.tar.gz.bundle
  • cri-o.ppc64le.v1.34.7.tar.gz.spdx
  • cri-o.ppc64le.v1.34.7.tar.gz.spdx.bundle
• cri-o.s390x.v1.34.7.tar.gz
  • cri-o.s390x.v1.34.7.tar.gz.sha256sum
  • cri-o.s390x.v1.34.7.tar.gz.bundle
  • cri-o.s390x.v1.34.7.tar.gz.spdx
  • cri-o.s390x.v1.34.7.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.7.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.34.7.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.34.7.tar.gz
> bom validate -e cri-o.amd64.v1.34.7.tar.gz.spdx -d cri-o

Changelog since v1.34.6

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.