Download Latest Version v1.36.0 source code.tar.gz (21.7 MB)
Email in envelope

Get an email when there's a new version of CRI-O

Home / v1.36.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-05-04 18.9 kB
0
v1.36.0 source code.tar.gz 2026-05-04 21.7 MB
0
v1.36.0 source code.zip 2026-05-04 28.6 MB
0
Totals: 3 Items   50.3 MB 0

CRI-O v1.36.0

The release notes have been generated for the commit range v1.35.0...v1.36.0 on Tue, 05 May 2026 18:27:19 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

The OpenVEX report for this release is available at:

The SLSA provenance attestation for this release is available at:

All release artifacts (bundles, SBOMs, VEX, and provenance) are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:v1.36.0.

To verify the artifact signatures via cosign, run:

:::console
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.36.0.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.36.0.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

:::console
> tar xfz cri-o.amd64.v1.36.0.tar.gz
> bom validate -e cri-o.amd64.v1.36.0.tar.gz.spdx -d cri-o

To verify the OpenVEX vulnerability report, run:

:::console
> cosign verify-blob cri-o.v1.36.0.openvex.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.openvex.json.bundle

To verify the SLSA provenance attestation, run:

:::console
> cosign verify-blob cri-o.v1.36.0.provenance.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.provenance.json.bundle

Changelog since v1.35.0

Changes by Kind

Other

  • Nri: pass any container POSIX rlimits to NRI plugins as input. (#9707, @klihub)
  • Nri: pass any container user ID/group ID information to NRI plugins as input (#9708, @klihub)
  • Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#9706, @klihub)

Dependency-Change

  • Fix CVE-2026-35469 by updating spdystream dependency (#9880, @haircommander)

Feature

  • Add OpenVEX vulnerability report generation for releases (#9767, @saschagrunert)
  • Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9870, @haircommander)
  • Added tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#9723, @asahay19)
  • Added support for configuring additional read-only artifact stores via the additional_artifact_stores configuration option. (#9702, @pauloappbr)
  • Implement StreamContainers, StreamContainerStats, StreamPodSandboxes, StreamPodSandboxStats, StreamPodSandboxMetrics, StreamImages (#9761, @bitoku)

Bug or Regression

  • Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#9803, @jnovy)
  • Fixed UpdateContainerResources to apply cgroupv2 unified settings (#9820, @PannagaRao)
  • Fixed a bug where CRI-O didn't return all metrics when "all" is set. (#9719, @bitoku)
  • Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9799, @sabujmaity)
  • Fixed a regression in v1.35.0 where systemd containers with hostUsers: false (user namespaces enabled) would fail with "Permission denied" errors when systemd attempted to create cgroups. (#9712, @saschagrunert)
  • Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9782, @bitoku)
  • Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9846, @bitoku)
  • PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9728, @saschagrunert)
  • Respect the same pinned_images configuration used by regular container images (#9836, @bitoku)

Other (Cleanup or Flake)

  • Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#9778, @bitoku)

Uncategorized

  • Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9860, @harche)
  • CRI-O now continuously monitors CNI plugin health using the STATUS verb. If a plugin becomes unhealthy after initial readiness, the node is reported as NetworkReady=false, preventing pod scheduling on affected nodes. The node self-heals when the plugin recovers. (#9855, @tsorya)

Dependencies

Added

Changed

Removed

Source: README.md, updated 2026-05-04