A container breakout vulnerability CVE-2026-46300 has been found in the Linux kernel, known as Fragnesia. It allows an unprivileged local attacker to escalate to root on the host.

GKE Standard clusters with Ubuntu nodes are impacted. GKE Standard clusters with Container-Optimized OS nodes are not impacted. GKE Autopilot is not impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, partial mitigations are available below. Containers do not provide a robust security boundary, as container breakout vulnerabilities pose a significant risk. For secure workload isolation, we recommend using GKE Sandbox.

If possible, migrate your workloads to run as non-root. If your container needs to be root, consider setting the pod.spec.securityContext.seccompProfile.type to RuntimeDefault for all workloads in your cluster. As an added security measure, we also recommend setting the pod.spec.containers[*].securityContext.allowPrivilegeEscalation to false.

apiVersion: v1
kind: Pod
metadata:
  name: default-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: mycontainer
    image: ubuntu
    securityContext:
      allowPrivilegeEscalation: false

A container breakout vulnerability CVE-2026-46300 has been found in the Linux kernel, known as Fragnesia. It allows an unprivileged local attacker to escalate to root on the host.

What should I do?

A container breakout vulnerability CVE-2026-46300 has been found in the Linux kernel, known as Fragnesia. It allows an unprivileged local attacker to escalate to root on the host.

What should I do?

A container breakout vulnerability CVE-2026-46300 has been found in the Linux kernel, known as Fragnesia. It allows an unprivileged local attacker to escalate to root on the host.

What should I do?

A container breakout vulnerability CVE-2026-46300 has been found in the Linux kernel, known as Fragnesia. It allows an unprivileged local attacker to escalate to root on the host.

What should I do?

Container breakout vulnerabilities CVE-2026-43284 and CVE-2026-43500 have been found in the Linux kernel, known as DirtyFrag. They allow an unprivileged local attacker to escalate to root on the host.

There are two exploit paths.

rxrpc exploit path (CVE-2026-43500): Container-Optimized OS is not vulnerable because the vulnerable module is not compiled in. Ubuntu nodes are vulnerable.

esp4 exploit path (CVE-2026-43284): Both Container-Optimized OS and Ubuntu are vulnerable, but the GKE default seccomp profile provides a mitigation that protects all Autopilot clusters and Standard clusters with Autopilot-managed node pools. The esp4 exploit path requires the user to have the ability to make the unshare syscall to obtain CAP_NET_ADMIN. Containers that use the RuntimeDefault SeccompProfile can’t call unshare and are unaffected. Containers that grant CAP_NET_ADMIN explicitly are affected.

Containers using GKE Sandbox are not impacted.

What should I do?

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, partial mitigations are available below. We do not recommend relying on containers as a security boundary, container breakout vulnerabilities are very common. Use GKE Sandbox instead.

If possible, migrate your workloads to run as non-root. If your container needs to be root, consider setting the pod.spec.securityContext.seccompProfile.type to RuntimeDefault for all workloads in your cluster. As an added security measure we also recommend setting the pod.spec.containers[*].securityContext.allowPrivilegeEscalation to false.

apiVersion: v1
kind: Pod
metadata:
  name: default-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: mycontainer
    image: ubuntu
    securityContext:
      allowPrivilegeEscalation: false

Container breakout vulnerabilities CVE-2026-43284 and CVE-2026-43500 have been found in the Linux kernel, known as DirtyFrag. They allow an unprivileged local attacker to escalate to root on the host.

What should I do?

Container breakout vulnerabilities CVE-2026-43284 and CVE-2026-43500 have been found in the Linux kernel, known as DirtyFrag. They allow an unprivileged local attacker to escalate to root on the host.

What should I do?

Container breakout vulnerabilities CVE-2026-43284 and CVE-2026-43500 have been found in the Linux kernel, known as DirtyFrag. They allow an unprivileged local attacker to escalate to root on the host.

What should I do?

Container breakout vulnerabilities CVE-22026-43284 and CVE-2026-43500 have been found in the Linux kernel, known as DirtyFrag. They allow an unprivileged local attacker to escalate to root on the host.

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23351

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.3-gke.1389000
• 1.34.6-gke.1154000
• 1.33.10-gke.1115000
• 1.32.13-gke.1258000
• 1.31.14-gke.1723000
• 1.30.14-gke.2320000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23351

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23351

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23351

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23351

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

A vulnerability in the Linux kernel (CVE-2026-31431) allows an unprivileged local attacker to write to the system page cache, potentially leading to local privilege escalation and container escape.

GKE Standard and Autopilot clusters are affected.

Containers using GKE Sandbox are not impacted.

What should I do?

2026-05-04 Update: The following versions of GKE are updated with code to fix this vulnerability on Container-Optimized OS. Upgrade your Container-Optimized OS node pools to the following versions or later:

• 1.36.0-gke.1555000
• 1.35.3-gke.1943000
• 1.34.7-gke.1292000
• 1.33.11-gke.1132000
• 1.32.13-gke.1446000
• 1.31.14-gke.1846000
• 1.30.14-gke.2439000

If you don't see these versions in the Google Cloud console, then use the gcloud container clusters upgrade gcloud CLI command to specify the versions and upgrade your node pools in Standard clusters and your control plane in Autopilot clusters.

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, mitigations are available below.

We do not recommend relying on containers as a security boundary, container breakout vulnerabilities are very common. Use GKE Sandbox instead.

For immediate protection, mitigation advice here.

What vulnerabilities are being addressed?

The vulnerability, CVE-2026-31431, is a logic flaw in the Linux kernel's authencesn cryptographic template that chains AF_ALG and splice(). It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. Because the page cache is shared across the host, an attacker can exploit this to achieve root privileges or escape container boundaries by corrupting the in-memory versions of setuid binaries or other sensitive files.

A vulnerability in the Linux kernel (CVE-2026-31431) allows an unprivileged local attacker to write to the system page cache, potentially leading to local privilege escalation and container escape.

What should I do?

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, mitigations are available below.

We do not recommend relying on containers as a security boundary, container breakout vulnerabilities are very common. Use GKE Sandbox instead.

For immediate protection, mitigation advice here.

What vulnerabilities are being addressed?

The vulnerability, CVE-2026-31431, is a logic flaw in the Linux kernel's authencesn cryptographic template that chains AF_ALG and splice(). It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. Because the page cache is shared across the host, an attacker can exploit this to achieve root privileges or escape container boundaries by corrupting the in-memory versions of sensitive files.

A vulnerability in the Linux kernel (CVE-2026-31431) allows an unprivileged local attacker to write to the system page cache, potentially leading to local privilege escalation and container escape.

What should I do?

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, mitigations are available below.

We do not recommend relying on containers as a security boundary, container breakout vulnerabilities are very common. Use GKE Sandbox instead.

For immediate protection, mitigation advice here.

What vulnerabilities are being addressed?

The vulnerability, CVE-2026-31431, is a logic flaw in the Linux kernel's authencesn cryptographic template that chains AF_ALG and splice(). It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. Because the page cache is shared across the host, an attacker can exploit this to achieve root privileges or escape container boundaries by corrupting the in-memory versions of sensitive files.

A vulnerability in the Linux kernel (CVE-2026-31431) allows an unprivileged local attacker to write to the system page cache, potentially leading to local privilege escalation and container escape.

What should I do?

Upstream kernel patches have only recently been released. Those patches are being built into GKE releases and this bulletin will be updated when they are available. In the interim, mitigations are available below.

We do not recommend relying on containers as a security boundary, container breakout vulnerabilities are very common. Use GKE Sandbox instead.

For immediate protection, mitigation advice here.

What vulnerabilities are being addressed?

The vulnerability, CVE-2026-31431, is a logic flaw in the Linux kernel's authencesn cryptographic template that chains AF_ALG and splice(). It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. Because the page cache is shared across the host, an attacker can exploit this to achieve root privileges or escape container boundaries by corrupting the in-memory versions of sensitive files.

A vulnerability in the Linux kernel (CVE-2026-31431) allows an unprivileged local attacker to write to the system page cache, potentially leading to local privilege escalation and container escape.

What should I do?

GDC software for bare metal does not bundle an operating system in its distribution. Customers are responsible for installing and maintaining a supported Linux distribution on physical hardware.

To protect your cluster, check with your OS vendor to see if your underlying Linux distribution is affected, and apply the appropriate kernel updates.

As an immediate mitigation, mitigation advice here.

What vulnerabilities are being addressed?

The vulnerability, CVE-2026-31431, is a logic flaw in the Linux kernel's authencesn cryptographic template that chains AF_ALG and splice(). It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. Because the page cache is shared across the host, an attacker can exploit this to achieve root privileges or escape container boundaries by corrupting the in-memory versions of sensitive files.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23274

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.3-gke.1389000
• 1.34.6-gke.1154000
• 1.33.10-gke.1115000
• 1.32.13-gke.1258000
• 1.31.14-gke.1723000
• 1.30.14-gke.2320000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23274

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23274

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23274

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23274

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2025-38248

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1117000
• 1.32.13-gke.1090000
• 1.31.14-gke.1526000
• 1.30.14-gke.2192000

The following minor versions are affected. Upgrade your Ubuntu node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1117000
• 1.32.13-gke.1090000
• 1.31.14-gke.1526000
• 1.30.14-gke.2154000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2025-38248

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2025-38248

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2025-38248

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

• CVE-2025-38248

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23074

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-05-07 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.30.14-gke.2320000
• 1.31.14-gke.1723000
• 1.32.13-gke.1258000
• 1.33.10-gke.1115000
• 1.34.6-gke.1154000
• 1.35.3-gke.1234000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1076000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1476000
• 1.30.14-gke.2117000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23074

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23074

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23074

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23074

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23209

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1599000
• 1.30.14-gke.2215000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23209

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23209

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23209

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23209

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23231

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.10-gke.1067000
• 1.32.13-gke.1205000
• 1.31.14-gke.1681000
• 1.30.14-gke.2286000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23231

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23231

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23231

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23231

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-04-15 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.3-gke.1234000
• 1.34.6-gke.1154000
• 1.33.10-gke.1115000
• 1.32.13-gke.1258000
• 1.31.14-gke.1723000
• 1.30.14-gke.2320000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1599000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23111

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1060000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2026-23273

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-31 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1153000
• 1.33.9-gke.1117000
• 1.32.13-gke.1090000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.12-gke.1127000
• 1.31.14-gke.1376000
• 1.30.14-gke.2192000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38616

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1485000
• 1.34.5-gke.1076000
• 1.33.9-gke.1060000
• 1.32.13-gke.1059000
• 1.31.14-gke.1476000
• 1.30.14-gke.2117000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.12-gke.1127000
• 1.31.14-gke.1376000
• 1.30.14-gke.2192000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38678

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.35.0-gke.2398000
• 1.32.11-gke.1174000
• 1.33.5-gke.2392000
• 1.34.3-gke.1318000
• 1.31.14-gke.1243000
• 1.30.14-gke.1922000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40297

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE control plane and infrastructure is not vulnerable. GKE core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE Nodes: The OpenSSL library included in the GKE Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

2026-02-20 Update: The following versions of GKE are updated with code to fix this vulnerability. Upgrade your GKE node pools to the following versions or later:

• 1.35.0-gke.2398000
• 1.34.3-gke.1318000
• 1.33.5-gke.2392000
• 1.32.11-gke.1264000

There is no action at this time. This security bulletin will be updated when new GKE versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GDC software for VMware control plane and infrastructure is not vulnerable. GDC software for VMware core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GDC software for VMware Nodes: The OpenSSL library included in the GDC software for VMware Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GDC software for VMware versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new Google Distributed Cloud versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE on AWS control plane and infrastructure is not vulnerable. GKE on AWS core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE on AWS Nodes: The OpenSSL library included in the GKE on AWS Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE on AWS versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new GKE on AWS versions are available that use the patched version of OpenSSL.

Multiple security vulnerabilities have been identified in the OpenSSL library. The most significant finding is CVE-2025-15467, a critical vulnerability that might allow for remote code execution (RCE) or denial of service (DoS) attacks via network-based vectors.

GKE on Azure control plane and infrastructure is not vulnerable. GKE on Azure core infrastructure, including the Kubernetes API Server and Kubelet, remains unaffected. These services use BoringCrypto (a security-hardened module derived from BoringSSL), which does not contain the vulnerable code found in the standard OpenSSL distribution.

GKE on Azure Nodes: The OpenSSL library included in the GKE on Azure Node OS images (Container-Optimized OS and Ubuntu) contains the vulnerable code. While the control plane is secure, software running within your nodes or administrative tools on the host OS might be at risk.

Updated GKE on Azure versions will include will the latest version of OpenSSL, which addresses the following CVEs:

• CVE-2025-11187
• CVE-2025-15467
• CVE-2025-15468
• CVE-2025-15469
• CVE-2025-66199
• CVE-2025-68160
• CVE-2025-69418
• CVE-2025-69419
• CVE-2025-69420
• CVE-2025-69421
• CVE-2026-22795
• CVE-2026-22796

What should I do?

There is no action at this time. This security bulletin will be updated when new GKE on Azure versions are available that use the patched version of OpenSSL.

Several security issues have been discovered in OpenSSL. The most critical is CVE-2025-15467, which could be used to execute a denial of service or remote code execution attack over the internet.

GDC software for bare metal is not vulnerable to this threat. GDC software for bare metal uses BoringCrypto for network facing services such as the Kubernetes apiserver and Kubelet, and BoringCrypto is not affected by this vulnerability. BoringCrypto is extracted from BoringSSL, a fork of OpenSSL focused on security hardening and performance.

GDC software for bare metal does not provide a node OS. Customers are responsible for installing and maintaining a supported Linux distribution on physical hardware before installing the GKE software.

What should I do?

Update your Linux OS image to one that includes the latest Open SSL distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1336000
• 1.30.14-gke.1991000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.34.1-gke.3556000
• 1.30.14-gke.1719000
• 1.31.13-gke.1139000
• 1.29.15-gke.2467000
• 1.33.5-gke.1862000
• 1.32.9-gke.1239000
• 1.28.15-gke.3163000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39964

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000
• 1.31.14-gke.1423000
• 1.30.14-gke.2071000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1632000
• 1.29.15-gke.2553000
• 1.33.5-gke.1956000
• 1.34.1-gke.3556000
• 1.31.14-gke.1081000
• 1.30.14-gke.1794000
• 1.28.15-gke.3225000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40215

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1632000
• 1.28.15-gke.3225000
• 1.33.5-gke.1956000
• 1.34.1-gke.3556000
• 1.30.14-gke.1794000
• 1.31.14-gke.1081000
• 1.29.15-gke.2553000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40214

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1330000
• 1.34.1-gke.2541000
• 1.33.5-gke.1350000
• 1.31.13-gke.1231000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39965

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1476000
• 1.30.14-gke.2117000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2966000
• 1.32.9-gke.1330000
• 1.33.5-gke.1350000
• 1.29.15-gke.2236000
• 1.31.13-gke.1231000
• 1.30.14-gke.1525000
• 1.34.1-gke.2541000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40019

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.1-gke.1396000
• 1.34.4-gke.1047000
• 1.33.8-gke.1026000
• 1.32.12-gke.1026000
• 1.31.14-gke.1336000
• 1.30.14-gke.1991000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1330000
• 1.29.15-gke.2236000
• 1.30.14-gke.1525000
• 1.31.13-gke.1231000
• 1.34.1-gke.2541000
• 1.28.15-gke.2966000
• 1.33.5-gke.1350000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following versions of GDC (VMware) are updated with code to fix this vulnerability. Upgrade your GDC (VMware) clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-40018

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

These vulnerabilities affect GKE Standard clusters running either Container-Optimized OS (COS) or Ubuntu node images, as well as Autopilot clusters. Node pools using GKE Sandbox are not affected and Windows node pools are not affected.

What should I do?

2025-11-27 Update: The following versions of GKE are updated with code to fix these vulnerabilities on Container-Optimized OS. Upgrade your GKE node pools to the following versions or later:

• 1.34.1-gke.3355000
• 1.33.5-gke.1791000
• 1.32.9-gke.1548000
• 1.31.13-gke.1454000
• 1.30.14-gke.1719000
• 1.29.15-gke.2467000
• 1.28.15-gke.3163000

The following GKE versions have been updated with code to fix these vulnerabilities on Ubuntu. Upgrade your GKE node pools to the following versions or later:

• 1.33.5-gke.1791000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

Several security issues have been discovered in runc, an open source software component used for running containers on GKE. The vulnerabilities (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow an attacker to execute a full container breakout, leading to root privilege escalation on the host node. An actor with privileges to deploy a malicious container image can exploit these vulnerabilities.

What should I do?

2025-11-27 Update: The following versions of GDC (bare metal) are updated with code to fix this vulnerability. Upgrade your GDC (bare metal) clusters to these versions or later:

• 1.31.1000-gke.44

GKE is developing new versions that include the fixes for these vulnerabilities. This bulletin will be updated once these new versions are available.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-17 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.32.9-gke.1462000
• 1.33.5-gke.1697000
• 1.34.1-gke.2909000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.5-gke.1162000
• 1.32.9-gke.1072000
• 1.28.15-gke.2751000
• 1.34.1-gke.1127000
• 1.30.14-gke.1267000
• 1.31.13-gke.1023000
• 1.29.15-gke.1936000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

2025-10-30 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39682

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-10-30 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to these versions or later:

• 1.28.15-gke.2740000
• 1.29.15-gke.1979000
• 1.30.14-gke.1267000
• 1.31.13-gke.1040000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1010000
• 1.28.15-gke.2740000
• 1.29.15-gke.1936000
• 1.31.12-gke.1220000
• 1.30.14-gke.1267000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

2025-10-30 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2024-58240

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2767000
• 1.29.15-gke.2002000
• 1.30.14-gke.1349000
• 1.31.13-gke.1123000
• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.30.14-gke.1267000
• 1.31.13-gke.1023000
• 1.29.15-gke.1936000
• 1.33.5-gke.1162000
• 1.32.9-gke.1072000
• 1.28.15-gke.2751000
• 1.34.1-gke.1127000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

2025-10-27 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to these versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38618

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2026-03-24 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.35.2-gke.1269000
• 1.34.4-gke.1193000
• 1.33.8-gke.1169000
• 1.32.13-gke.1059000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.32.9-gke.1108000
• 1.29.15-gke.1989000
• 1.31.13-gke.1023000
• 1.30.14-gke.1336000
• 1.28.15-gke.2751000
• 1.34.1-gke.1279000
• 1.33.5-gke.1162000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

2025-11-13 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1100-gke.40

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-39946

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2767000
• 1.29.15-gke.2002000
• 1.30.14-gke.1349000
• 1.31.13-gke.1123000
• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2610000
• 1.32.9-gke.1010000
• 1.33.4-gke.1350000
• 1.29.15-gke.1835000
• 1.31.12-gke.1220000
• 1.30.14-gke.1267000
• 1.34.1-gke.1127000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

2025-10-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38617

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-11-11 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.32.9-gke.1207000
• 1.33.5-gke.1308000
• 1.34.1-gke.2037000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.33.4-gke.1036000
• 1.32.8-gke.1026000
• 1.31.12-gke.1014000
• 1.30.14-gke.1108000
• 1.29.15-gke.1820000
• 1.28.15-gke.2599000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

2025-10-16 Update: The following versions of GDC software for VMware are updated with code to fix this vulnerability. Upgrade your GDC software for VMware clusters to the following versions or later:

• 1.31.1000-gke.44

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38500

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

GKE Standard clusters are impacted. GKE Autopilot clusters in the default configuration are not impacted, but might be vulnerable if you explicitly set the seccomp Unconfined profile or allow CAP_NET_ADMIN.

Clusters using GKE Sandbox aren't impacted.

What should I do?

2025-09-25 Update: The following versions of GKE are updated with code to fix this vulnerability on Ubuntu. Upgrade your Ubuntu node pools to the following versions or later:

• 1.28.15-gke.2697000
• 1.29.15-gke.1936000
• 1.30.14-gke.1150000
• 1.31.12-gke.1110000
• 1.32.8-gke.1170000
• 1.33.4-gke.1245000
• 1.34.0-gke.1662000

The following minor versions are affected. Upgrade your Container-Optimized OS node pools to one of the following patch versions or later:

• 1.28.15-gke.2527000
• 1.32.7-gke.1016000
• 1.33.3-gke.1392000
• 1.29.15-gke.1713000
• 1.31.11-gke.1064000
• 1.30.14-gke.1011000

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS nodes:

• CVE-2025-38350

What should I do?

There is no action required. GDC software for bare metal isn't affected as it does not bundle an operating system in its distribution.