The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1599000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1060000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-31 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1117000
• 1.32.13-gke.1090000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.12-gke.1127000
• 1.31.14-gke.1376000
• 1.30.14-gke.2192000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1076000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1476000
• 1.30.14-gke.2117000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.12-gke.1127000
• 1.31.14-gke.1376000
• 1.30.14-gke.2192000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.0-gke.2398000
• 1.32.11-gke.1174000
• 1.33.5-gke.2392000
• 1.34.3-gke.1318000
• 1.31.14-gke.1243000
• 1.30.14-gke.1922000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE control plane and infrastructure is not vulnerable. GKE core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE Nodes: The OpenSSL library included in the GKE Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

2026-02-20 Update: The following versions of GKE are updated with code to fix this vulnerability. Upgrade your GKE node pools to the following versions or later:

• 1.35.0-gke.2398000
• 1.34.3-gke.1318000
• 1.33.5-gke.2392000
• 1.32.11-gke.1264000

There is no action at this time. This security bulletin will be updated when new GKE versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GDC software for VMware control plane and infrastructure is not vulnerable. GDC software for VMware core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GDC software for VMware Nodes: The OpenSSL library included in the GDC software for VMware Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GDC software for VMware versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new Google Distributed Cloud versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE on AWS control plane and infrastructure is not vulnerable. GKE on AWS core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE on AWS Nodes: The OpenSSL library included in the GKE on AWS Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE on AWS versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new GKE on AWS versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE on Azure control plane and infrastructure is not vulnerable. GKE on Azure core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE on Azure Nodes: The OpenSSL library included in the GKE on Azure Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE on Azure versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new GKE on Azure versions are available that use the patched version of OpenSSL.

Several security issues have been discovered in OpenSSL. The most critical is CVE-2025-15467, which could be used to execute a denial of service or remote code execution attack over the internet.

GDC software for bare metal is not vulnerable to this threat. GDC software for bare metal uses BoringCrypto for network facing services such as the Kubernetes apiserver and Kubelet, and BoringCrypto is not affected by this vulnerability. BoringCrypto is extracted from BoringSSL, a fork of OpenSSL focused on security hardening and performance.

GDC software for bare metal does not provide a node OS. Customers are responsible for installing and maintaining a supported Linux distribution on physical hardware before installing the GKE software.

What should I do?

Update your Linux OS image to one that includes the latest Open SSL distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1336000
• 1.30.14-gke.1991000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.34.1-gke.3556000
• 1.30.14-gke.1719000
• 1.31.13-gke.1139000
• 1.29.15-gke.2467000
• 1.33.5-gke.1862000
• 1.32.9-gke.1239000
• 1.28.15-gke.3163000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000
• 1.31.14-gke.1423000
• 1.30.14-gke.2071000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1632000
• 1.29.15-gke.2553000
• 1.33.5-gke.1956000
• 1.34.1-gke.3556000
• 1.31.14-gke.1081000
• 1.30.14-gke.1794000
• 1.28.15-gke.3225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1632000
• 1.28.15-gke.3225000
• 1.33.5-gke.1956000
• 1.34.1-gke.3556000
• 1.30.14-gke.1794000
• 1.31.14-gke.1081000
• 1.29.15-gke.2553000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1330000
• 1.34.1-gke.2541000
• 1.33.5-gke.1350000
• 1.31.13-gke.1231000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1476000
• 1.30.14-gke.2117000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2966000
• 1.32.9-gke.1330000
• 1.33.5-gke.1350000
• 1.29.15-gke.2236000
• 1.31.13-gke.1231000
• 1.30.14-gke.1525000
• 1.34.1-gke.2541000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1336000
• 1.30.14-gke.1991000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1330000
• 1.29.15-gke.2236000
• 1.30.14-gke.1525000
• 1.31.13-gke.1231000
• 1.34.1-gke.2541000
• 1.28.15-gke.2966000
• 1.33.5-gke.1350000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

These vulnerabilities affect GKE Standard clusters running either Container-Optimized OS (COS) or Ubuntu node images, as well as Autopilot clusters. Node pools using GKE Sandbox are not affected and Windows node pools are not affected.

What should I do?

2025-11-27 Update: The following versions of GKE are updated with code to fix these vulnerabilities on Container-Optimized OS. Upgrade your GKE node pools to the following versions or later:

• 1.34.1-gke.3355000
• 1.33.5-gke.1791000
• 1.32.9-gke.1548000
• 1.31.13-gke.1454000
• 1.30.14-gke.1719000
• 1.29.15-gke.2467000
• 1.28.15-gke.3163000

The following GKE versions have been updated with code to fix these vulnerabilities on Ubuntu. Upgrade your GKE node pools to the following versions or later:

• 1.33.5-gke.1791000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

2025-11-27 Update: The following versions of GDC (bare metal) are updated with code to fix this vulnerability. Upgrade your GDC (bare metal) clusters to these versions or later:

• 1.31.1000-gke.44

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-17 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.32.9-gke.1462000
• 1.33.5-gke.1697000
• 1.34.1-gke.2909000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.5-gke.1162000
• 1.32.9-gke.1072000
• 1.28.15-gke.2751000
• 1.34.1-gke.1127000
• 1.30.14-gke.1267000
• 1.31.13-gke.1023000
• 1.29.15-gke.1936000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

2025-10-30 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to these versions or later:

• 1.28.15-gke.2740000
• 1.29.15-gke.1979000
• 1.30.14-gke.1267000
• 1.31.13-gke.1040000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1010000
• 1.28.15-gke.2740000
• 1.29.15-gke.1936000
• 1.31.12-gke.1220000
• 1.30.14-gke.1267000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

2025-10-30 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2767000
• 1.29.15-gke.2002000
• 1.30.14-gke.1349000
• 1.31.13-gke.1123000
• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.30.14-gke.1267000
• 1.31.13-gke.1023000
• 1.29.15-gke.1936000
• 1.33.5-gke.1162000
• 1.32.9-gke.1072000
• 1.28.15-gke.2751000
• 1.34.1-gke.1127000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

2025-10-27 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-24 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1108000
• 1.29.15-gke.1989000
• 1.31.13-gke.1023000
• 1.30.14-gke.1336000
• 1.28.15-gke.2751000
• 1.34.1-gke.1279000
• 1.33.5-gke.1162000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

2025-11-13 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2767000
• 1.29.15-gke.2002000
• 1.30.14-gke.1349000
• 1.31.13-gke.1123000
• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2610000
• 1.32.9-gke.1010000
• 1.33.4-gke.1350000
• 1.29.15-gke.1835000
• 1.31.12-gke.1220000
• 1.30.14-gke.1267000
• 1.34.1-gke.1127000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

2025-10-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.4-gke.1036000
• 1.32.8-gke.1026000
• 1.31.12-gke.1014000
• 1.30.14-gke.1108000
• 1.29.15-gke.1820000
• 1.28.15-gke.2599000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

2025-10-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-09-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2697000
• 1.29.15-gke.1936000
• 1.30.14-gke.1150000
• 1.31.12-gke.1110000
• 1.32.8-gke.1170000
• 1.33.4-gke.1245000
• 1.34.0-gke.1662000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2527000
• 1.32.7-gke.1016000
• 1.33.3-gke.1392000
• 1.29.15-gke.1713000
• 1.31.11-gke.1064000
• 1.30.14-gke.1011000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38477

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2767000
• 1.29.15-gke.2002000
• 1.30.14-gke.1349000
• 1.31.13-gke.1123000
• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.7-gke.1016000
• 1.33.3-gke.1392000
• 1.29.15-gke.1713000
• 1.30.14-gke.1011000
• 1.31.11-gke.1064000
• 1.28.15-gke.2527000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38477

What should I do?

2025-10-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38477

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38477

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38477

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Ubuntu nodes:

• CVE-2025-37890

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.28.15-gke.2461000
• 1.29.15-gke.1614000
• 1.30.12-gke.1372000
• 1.31.10-gke.1067000
• 1.32.6-gke.1060000
• 1.33.2-gke.1384000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Ubuntu nodes:

• CVE-2025-37890

What should I do?

2025-11-10 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.300-gke.81

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Ubuntu nodes:

• CVE-2025-37890

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Ubuntu nodes:

• CVE-2025-37890

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Ubuntu nodes:

• CVE-2025-37890

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38083

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-08-28 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2564000
• 1.29.15-gke.1773000
• 1.30.14-gke.1036000
• 1.31.11-gke.1101000
• 1.32.7-gke.1079000
• 1.33.3-gke.1392000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.6-gke.1013000
• 1.29.15-gke.1607000
• 1.31.10-gke.1021000
• 1.30.12-gke.1333000
• 1.33.2-gke.1240000
• 1.28.15-gke.2456000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38083

What should I do?

2025-11-10 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.300-gke.81

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38083

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38083

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38083

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37752

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-09-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2697000
• 1.29.15-gke.1936000
• 1.30.14-gke.1150000
• 1.31.12-gke.1110000
• 1.32.8-gke.1170000
• 1.33.4-gke.1245000
• 1.34.0-gke.1662000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.1-gke.1584000
• 1.32.4-gke.1603000
• 1.31.9-gke.1176000
• 1.30.12-gke.1208000
• 1.28.15-gke.2303000
• 1.29.15-gke.1415000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37752

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37752

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37752

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37752

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38001

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-07-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your GKE Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2461000
• 1.29.15-gke.1614000
• 1.30.12-gke.1372000
• 1.31.10-gke.1067000
• 1.32.6-gke.1060000
• 1.33.2-gke.1384000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.1-gke.1959000
• 1.30.12-gke.1279000
• 1.31.9-gke.1287000
• 1.28.15-gke.2428000
• 1.29.15-gke.1549000
• 1.32.4-gke.1698000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38001

What should I do?

2025-11-10 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.300-gke.81

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38001

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38001

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38001

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37997

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-07-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your GKE Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2461000
• 1.29.15-gke.1614000
• 1.30.12-gke.1372000
• 1.31.10-gke.1067000
• 1.32.6-gke.1060000
• 1.33.2-gke.1384000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2403000
• 1.31.9-gke.1176000
• 1.30.12-gke.1246000
• 1.29.15-gke.1523000
• 1.33.1-gke.1545000
• 1.27.16-gke.2874000
• 1.32.4-gke.1603000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37997

What should I do?

2025-11-10 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.300-gke.81

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37997

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37997

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37997

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38000

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-07-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your GKE Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2461000
• 1.29.15-gke.1614000
• 1.30.12-gke.1372000
• 1.31.10-gke.1067000
• 1.32.6-gke.1060000
• 1.33.2-gke.1384000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.1-gke.1545000
• 1.27.16-gke.2874000
• 1.32.4-gke.1603000
• 1.28.15-gke.2403000
• 1.30.12-gke.1246000
• 1.31.9-gke.1176000
• 1.29.15-gke.1523000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38000

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38000

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38000

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38000

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A security issue was discovered where attackers might be able to bypass workload isolation restrictions on GKE clusters. Only clusters relying on node isolation to separate workloads inside a cluster are affected. Note that node isolation should never be used as a primary security boundary.

To exploit this vulnerability, attackers must first gain access to the kubelet node client credentials. Access to these credentials typically requires root permissions on the host and access to the host filesystem. For most systems, this means you need both an application vulnerability to gain access to the workload and a container breakout vulnerability to gain access to the host. Attackers with access to such credentials could do the following:

• Attackers could re-register the node with the same name, but with different values for certain fields in the Node object. Specifically, an attacker could set .spec.providerID to point to a different instance in the cluster, causing the GKE control plane to delete the referenced Compute Engine instance.
• Attackers could also change .spec.taints to affect workload scheduling. When implementing node isolation as a security control, you must use labels and label selectors with the node-restriction.kubernetes.io/ prefix to prevent compromised nodes from manipulating scheduling behavior.

What should I do?

Implement the following changes to address this issue:

Address the provider ID issue by upgrading your GKE clusters to a patched version. The following versions of GKE or later have been updated to address the providerID issue:

• 1.33.1-gke.1386000
• 1.32.4-gke.1533000
• 1.31.9-gke.1119000
• 1.30.12-gke.1208000

Optionally, if you cannot upgrade, implement the following validating admission policy on your cluster to mitigate the providerID issue:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: validate-node-providerid
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["nodes"]
  matchConditions:
  - name: "has-providerid"
    expression: "has(object.spec.providerID)"
  validations:
  - expression: "object.spec.providerID == '' || object.spec.providerID.endsWith('/' + object.metadata.name)"
    message: "node.spec.providerID must match the node name"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: validate-node-providerid-binding
spec:
  policyName: validate-node-providerid
  validationActions: [Deny]

Use node restricted labels when isolating workloads to specific nodes as a security control

If you are using labels for node isolation, as described in Kubernetes documentation, use node restricted labels (for example, labels of the form node-restriction.kubernetes.io/example-constraint) in node affinity and node selector terms used for workload isolation.

Kubelet node credentials are prevented from applying such labels by the NodeRestriction admission controller. The NodeRestriction admission controller is built into Kubernetes and enabled on all GKE clusters.

GKE restricts the scope of node credentials on newly created nodes for new clusters

As an additional hardening measure, new clusters starting from GKE version 1.33.1-gke.1386000 restrict the scope of node credentials on newly created nodes. Node credentials are bound to the Compute Engine instance originally provisioned for the Node. After the instance is deleted, attackers are prevented from using such compromised credentials to register the Node, with attacker controlled taints or providerID values. You can create a new cluster with version 1.33.1-gke.1386000 or later for newly-created nodes to have this additional hardening.

A security issue was discovered where attackers might be able to bypass workload isolation restrictions on GKE clusters.

What should I do?

No action required. This issue is specific to how GKE nodes are provisioned and managed on Compute Engine, and does not apply to GDC (VMware).

A security issue was discovered where attackers might be able to bypass workload isolation restrictions on GKE clusters.

What should I do?

GKE on AWS

No action required. This issue is specific to how GKE nodes are provisioned and managed on Compute Engine, and does not apply to GKE on AWS.

GKE on AWS (previous generation)

No action required. This issue is specific to how GKE nodes are provisioned and managed on Compute Engine, and does not apply to GKE on AWS (previous generation).

A security issue was discovered where attackers might be able to bypass workload isolation restrictions on GKE clusters.

What should I do?

No action required. This issue is specific to how GKE nodes are provisioned and managed on Compute Engine, and does not apply to GKE on Azure.

A security issue was discovered where attackers might be able to bypass workload isolation restrictions on GKE clusters.

What should I do?

No action required. This issue is specific to how GKE nodes are provisioned and managed on Compute Engine, and does not apply to GDC (bare metal).

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37798

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-07-21 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your GKE Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2461000
• 1.29.15-gke.1614000
• 1.30.12-gke.1372000
• 1.31.10-gke.1067000
• 1.32.6-gke.1060000
• 1.33.2-gke.1384000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.29.15-gke.1415000
• 1.30.12-gke.1168000
• 1.31.9-gke.1044000
• 1.27.16-gke.2771000
• 1.28.15-gke.2303000
• 1.32.4-gke.1415000
• 1.33.1-gke.1107000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37798

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37798

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37798

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37798

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37797

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-08-26 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2507000
• 1.29.15-gke.1686000
• 1.30.14-gke.1011000
• 1.31.11-gke.1064000
• 1.32.7-gke.1079000
• 1.33.3-gke.1392000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.4-gke.1415000
• 1.28.15-gke.2303000
• 1.27.16-gke.2820000
• 1.33.1-gke.1107000
• 1.29.15-gke.1415000
• 1.31.9-gke.1044000
• 1.30.12-gke.1168000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37797

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37797

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37797

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-37797

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.