CRI-O shipped v1.36.0 on May 5, 2026, the matching CRI for Kubernetes 1.36. Patch releases for the older supported branches — v1.35.3, v1.34.8, and v1.33.12 — went out the same day.
CVE-2026-35469 across every supported branch
Every release in the May 5 batch updates spdystream from 0.5.0 to 0.5.1 to address CVE-2026-35469, a denial-of-service flaw in the Go SPDY library used by CRI streaming endpoints. The SPDY/3 frame parser allocates memory based on attacker-controlled counts and lengths without bounds checking, and because header blocks are zlib-compressed a small on-the-wire payload can decompress into very large allocations. CVSS 4.0 score is 8.7 (HIGH). The Red Hat advisory lists kubelet, CRI-O, and kube-apiserver as affected components.
What’s new in 1.36 itself
- CNI plugin health monitoring. CRI-O now continuously polls CNI plugins via the
STATUSverb and reportsNetworkReadyaccordingly, rather than discovering broken CNI only at pod-create time. min_injected_gomaxprocsconfig option. Lets operators set a floor forGOMAXPROCSin every container CRI-O creates — useful when CPU limits don’t match the thread-count assumptions of Go or Java workloads.- Streaming container methods. Implements
StreamContainers,StreamContainerStats, andStreamPodSandboxes, matching the newer streaming CRI surface. - systemd +
hostUsers: falseregression fixed. A v1.35.0 regression that caused permission-denied failures for systemd containers with user namespaces is resolved. - Fast-exit race. A race that reported
exitCode 255for containers that exited very quickly is fixed.
If you run CRI-O — including on the older 1.33–1.35 branches — patch level matters here regardless of whether you’ve consumed the matching Kubernetes patches.
Sources: CRI-O v1.36.0 release notes, CVE-2026-35469 (NVD), GHSA-pc3f-x583-g7j2 — May 5, 2026
Stay on top of the cloud-native release wire
Kubernetes, AI infra, and CNCF moves - delivered when they matter.