Flatcar Container Linux
lts-4081.3.7Provisioning & RuntimeA large security maintenance release for the LTS channel: kernel jumps from 6.6.107 to 6.6.127 and closes hundreds of CVEs accumulated since the last LTS point release, plus a ca-certificates update and a local dev fix for arm64 Macs.
securityApply the kernel update promptly — large CVE backlog closed
This release rolls up roughly 20 kernel point releases (6.6.107 through 6.6.127), closing several hundred CVEs accumulated over that span. Treat this as a mandatory patch cycle rather than a routine bump — teams on 4081.3.6 or earlier have been running with months of unpatched kernel CVEs, some of which affect networking, filesystems, and memory management subsystems commonly hit in container workloads. Roll this out to fleets on the LTS channel as soon as your update ring allows.
enhancementVerify TLS trust chains after ca-certificates 3.116→3.122 jump
ca-certificates jumped from 3.116 to 3.122, spanning multiple NSS releases. If you pin or vendor CA bundles separately from the OS image, check for any removed or distrusted root certificates in that range that could break TLS validation for internal services or older endpoints.
enhancementFaster local VM testing on Apple Silicon
The QEMU launcher script now enables HVF acceleration on arm64 Macs (Flatcar#1901). If you develop or test Flatcar images locally on Apple Silicon, update your local scripts/tooling to pick this up — VM boot and test cycles should be noticeably faster.
Key changes (5)
- Linux kernel updated from 6.6.107 to 6.6.127, bundling ~20 stable kernel releases
- Several hundred CVEs patched in this single release, spanning 2023–2026 disclosures
- ca-certificates updated from 3.116 to 3.122 (multiple NSS releases bundled)
- QEMU launcher script fix adds HVF acceleration for arm64 Macs, improving local VM performance
- No new features or config-breaking changes — this is a maintenance/security rollup