gcp Google Cloud release notes · May 21, 2026

Container Optimized OS Updates: Kernel, Drivers, and Security Fixes

securityinfragcpsecurity-advisoryengineer

security feature patch announcement

Container Optimized OS (COS) has been updated with a new Linux kernel version (6.18.32) and numerous security patches, including fixes for CVE-2025-38584 and CVE-2026-43060. The update also introduces support for new NVIDIA driver branches and adds the `cos_kernel_args` tool for manipulating kernel command line arguments. These changes are relevant for users running workloads on Google Cloud's Container Optimized OS, particularly those utilizing GPUs.

→cos-129-19506-120-97
→cos-dev-133-19804-0-0
→cos-121-18867-381-132
→cos-125-19216-395-31
→cos-117-18613-613-15

Security (86) ›

Container Optimized OS

Fixed CVE-2025-38584 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-23473 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43060 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43063 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43065 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43066 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43067 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43068 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43071 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43073 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43079 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43085 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43086 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43089 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43090 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43091 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43093 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43094 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43099 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43107 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43112 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43114 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43117 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43329 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43332 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43333 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43336 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43338 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43339 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43341 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43350 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43359 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43360 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43361 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43362 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43363 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43365 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43366 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-0994 in dev-libs/protobuf.
Container Optimized OS

Fixed CVE-2026-43374 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-34743 in app-arch/xz-utils.
Container Optimized OS

Fixed CVE-2026-43383 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-35385 and CVE-2026-35386 in net-misc/openssh.
Container Optimized OS

Fixed CVE-2026-43392 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-35414 in net-misc/openssh.
Container Optimized OS

Fixed CVE-2026-43393 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-4046 in sys-libs/glibc.
Container Optimized OS

Fixed CVE-2026-43394 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Container Optimized OS

Fixed CVE-2026-43403 in the Linux kernel.
Container Optimized OS

Fixed EFI variable OOB read in grub config parsing.
Container Optimized OS

Fixed CVE-2026-43409 in the Linux kernel.
Container Optimized OS

Fixed argument injection in toolbox.
Container Optimized OS

Fixed CVE-2026-43438 in the Linux kernel.
Container Optimized OS

Updated go to v1.25.9. This resolves CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144.
Container Optimized OS

Fixed CVE-2026-43439 in the Linux kernel.
Container Optimized OS

Updated the Linux kernel to v6.18.31.
Container Optimized OS

Fixed CVE-2026-43441 in the Linux kernel.
Container Optimized OS

Upgraded containerd to v2.2.3. This fixes CVE-2026-35469.
Container Optimized OS

Fixed CVE-2026-43448 in the Linux kernel.
Container Optimized OS

Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
Container Optimized OS

Fixed CVE-2026-43449 in the Linux kernel.
Container Optimized OS

Upgraded dev-libs/openssl to v3.5.6 to fix CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31790.
Container Optimized OS

Fixed CVE-2026-43450 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43451 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43452 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43453 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43466 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43469 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43470 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43472 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43475 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43482 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43486 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-43487 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-46333 in the Linux kernel.
Container Optimized OS

Fixed argument injection in toolbox.
Container Optimized OS

Fixed CVE-2026-43187 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-46333 in the Linux kernel.
Container Optimized OS

Fixed argument injection in toolbox.
Container Optimized OS

Fixed CVE-2025-38584 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-23473 in the Linux kernel.
Container Optimized OS

Fixed CVE-2026-46333 in the Linux kernel.
Container Optimized OS

Fixed argument injection in toolbox.
Container Optimized OS

Fixed CVE-2026-46333 in the Linux kernel.
Container Optimized OS

Fixed argument injection in toolbox.

Features (2) ›

Container Optimized OS

Added the cos_kernel_args tool that allows manipulating kernel command line arguments of a COS image.
Container Optimized OS

Added nvidia-fs support to the COS GPU installer.

Enhancements (22) ›

Container Optimized OS cos-129-19506-120-97

Kernel Docker Containerd GPU Drivers COS-6.12.77 v27.5.1 v2.2.3 See List

GPU Drivers COS-6.12.77 See List
Container Optimized OS cos-dev-133-19804-0-0

Kernel Docker Containerd GPU Drivers COS-6.18.32 v27.5.1 v2.2.3 See List

GPU Drivers COS-6.18.32 See List
Container Optimized OS

Switch cchost-* boards to legacy iptables.
Container Optimized OS

Added support for the R595 Nvidia driver production branch.
Container Optimized OS

Apply hardening sysctls on cchost boards.
Container Optimized OS

Dropped support for the NVIDIA 535 drivers.
Container Optimized OS

Enabled mm hardening kernel cmdlines on cchost.
Container Optimized OS

Increased the size of the EFI partition from 32 MiB to 64 MiB and increased the sizes of both kernel partitions from 16 MiB to 32 MiB on x86.
Container Optimized OS

Made it so that /etc/machine-id is mounted with noexec, nosuid, and nodev.
Container Optimized OS

Switch cchost-* boards to legacy iptables.
Container Optimized OS

Updated the Linux kernel to v6.18.32.
Container Optimized OS

Updated uhaul to v6.18-0.
Container Optimized OS

Upgrade the Linux kernel to version 6.18.
Container Optimized OS

Upgraded sys-apps/xemu to v0.0.9.
Container Optimized OS

Upgraded sys-fs/cryptsetup to v2.8.6.
Container Optimized OS

Upgraded sysram to v6.18-0.
Container Optimized OS

Runtime sysctl changes: Added: dev.raid.sync_io_depth: 32 Added: fs.dentry-negative: 0 Added: fs.fanotify.watchdog_timeout: 0 Added: fs.fuse.default_request_timeout: 0 Added: fs.fuse.max_request_timeout: 0 Added: kernel.core_modes: socket Added: kernel.hung_task_detect_count: 0 Added: kernel.panic_sys_info: Added: net.ipv4.tcp_ecn_option: 2 Added: net.ipv4.tcp_ecn_option_beacon: 3 Added: net.ipv4.tcp_rto_max_ms: 120000 Added: net.ipv4.tcp_tw_reuse_delay: 1000 Added: net.ipv6.conf.all.force_forwarding: 0 Added: net.ipv6.conf.default.force_forwarding: 0 Added: net.ipv6.conf.docker0.force_forward
Container Optimized OS cos-121-18867-381-132

Kernel Docker Containerd GPU Drivers COS-6.6.137 v27.5.1 v2.0.8 See List

GPU Drivers COS-6.6.137 See List
Container Optimized OS

Runtime sysctl changes: Added: net.ipv4.tcp_pingpong_thresh: 1
Container Optimized OS cos-125-19216-395-31

Kernel Docker Containerd GPU Drivers COS-6.12.85 v27.5.1 v2.1.7 See List

GPU Drivers COS-6.12.85 See List
Container Optimized OS

Switch cchost-* boards to legacy iptables.
Container Optimized OS cos-117-18613-613-15

Kernel Docker Containerd GPU Drivers COS-6.6.137 v24.0.9 v1.7.29 See List

GPU Drivers COS-6.6.137 See List

Fixes (56) ›

Container Optimized OS

Added support for NVIDIA driver v535.309.01.
Container Optimized OS

Added support for NVIDIA driver v580.159.03.
Container Optimized OS

Added support for NVIDIA driver v595.71.05.
Container Optimized OS

Upgraded app-shells/dash to v0.5.13.4.
Container Optimized OS

Upgraded cos-gpu-installer to v2.7.1.
Container Optimized OS

Upgraded net-misc/rsync to v3.4.2.
Container Optimized OS

Added support for NVIDIA driver v580.159.03.
Container Optimized OS

Added support for NVIDIA driver v595.71.05.
Container Optimized OS

Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Container Optimized OS

Dropped support for NVIDIA MFT Tools v4.32.0.
Container Optimized OS

Upgraded CASFS to v0.1.3.
Container Optimized OS

Upgraded app-admin/oslogin to v20260227.00.
Container Optimized OS

Upgraded app-admin/oslogin to v20260430.00.
Container Optimized OS

Upgraded app-admin/sosreport to v4.11.1.
Container Optimized OS

Upgraded app-containers/docker-credential-helpers to v0.9.6.
Container Optimized OS

Upgraded app-shells/dash to v0.5.13.3.
Container Optimized OS

Upgraded app-shells/dash to v0.5.13.4.
Container Optimized OS

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r672.
Container Optimized OS

Upgraded chromeos-base/debugd-client to v0.0.1-r2738.
Container Optimized OS

Upgraded chromeos-base/google-breakpad to v2026.04.24.230834-r272.
Container Optimized OS

Upgraded chromeos-base/google-breakpad to v2026.05.06.161957-r274.
Container Optimized OS

Upgraded chromeos-base/power_manager-client to v0.0.1-r2973.
Container Optimized OS

Upgraded chromeos-base/session_manager-client to v0.0.1-r2834.
Container Optimized OS

Upgraded cos-gpu-installer to v2.7.1.
Container Optimized OS

Upgraded dev-db/sqlite to v3.53.1.
Container Optimized OS

Upgraded dev-libs/expat to v2.8.0.
Container Optimized OS

Upgraded dev-libs/expat to v2.8.1.
Container Optimized OS

Upgraded net-libs/libnetfilter_queue to v1.0.5-r1.
Container Optimized OS

Upgraded net-misc/rsync to v3.4.2.
Container Optimized OS

Upgraded sys-apps/makedumpfile to v1.7.9.
Container Optimized OS

Upgraded sys-libs/libcap to v2.78.
Container Optimized OS

Upgraded sys-process/lsof to v4.99.6.
Container Optimized OS

Upgraded the dump capture kernel to Linux v6.18.
Container Optimized OS

Added support for NVIDIA driver v535.309.01.
Container Optimized OS

Added support for NVIDIA driver v580.159.03.
Container Optimized OS

Upgraded app-admin/google-guest-configs to v20251014.00.
Container Optimized OS

Upgraded app-containers/docker-credential-helpers to v0.9.4.
Container Optimized OS

Upgraded cos-gpu-installer to v2.7.1.
Container Optimized OS

Upgraded net-libs/libnetfilter_conntrack to v1.1.1.
Container Optimized OS

Upgraded net-libs/libtirpc to v1.3.7.
Container Optimized OS

Upgraded net-nds/rpcbind to v1.2.8.
Container Optimized OS

Upgraded sys-apps/acl to v2.3.2-r3.
Container Optimized OS

Upgraded sys-apps/gentoo-functions to v1.7.4.
Container Optimized OS

Upgraded sys-auth/pambase to v20251104.
Container Optimized OS

Upgraded sys-libs/libcap to v2.77.
Container Optimized OS

Upgraded sys-libs/libseccomp to v2.6.0-r3.
Container Optimized OS

Added support for NVIDIA driver v535.309.01.
Container Optimized OS

Added support for NVIDIA driver v580.159.03.
Container Optimized OS

Added support for NVIDIA driver v595.71.05.
Container Optimized OS

Upgraded app-shells/dash to v0.5.13.4.
Container Optimized OS

Upgraded cos-gpu-installer to v2.7.1.
Container Optimized OS

Upgraded net-misc/rsync to v3.4.2.
Container Optimized OS

Added support for NVIDIA driver v535.309.01.
Container Optimized OS

Added support for NVIDIA driver v580.159.03.
Container Optimized OS

Upgraded app-shells/dash to v0.5.13.4.
Container Optimized OS

Upgraded cos-gpu-installer to v2.7.1.

Notes (1) ›

Container Optimized OS

This is an LTS Refresh release.

LTS Refresh release.

Read the original announcement →

https://docs.cloud.google.com/release-notes#May_21_2026