RATATOSKRATATOSK
Sign in

Flatcar Container Linux

stable-4593.2.2Provisioning & Runtime
May 28, 2026

A pure security patch release: 50+ Linux kernel CVEs patched via a jump to kernel 6.12.91, plus updated CA certificates. No feature changes.

  • securitySchedule node reboots promptly — 50+ kernel CVEs patched

    This release patches a large batch of kernel CVEs, including several from 2025 and some tagged 2026 (likely pre-publication assignments). The sheer volume suggests broad attack surface coverage across networking and driver subsystems. Flatcar uses automatic updates by default, but if you've disabled auto-reboot or use a maintenance window controller like FLUO or Kured, verify that nodes are cycling through the update. Clusters where nodes haven't rebooted recently are carrying all of these exposures.

  • securityCA certificate bundle updated to NSS 3.124 — verify custom PKI setups

    The ca-certificates update to NSS 3.124 may add or distrust specific root CAs. If your workloads pin to system trust stores or you've layered custom CA bundles on top of the system bundle, test after the node update to confirm TLS handshakes still succeed. This is low-risk for standard setups but can quietly break internal services that rely on specific intermediates.

  • enhancementConfirm your update group is tracking stable, not pinned to a fixed version

    With patch-only releases like this, the fastest path to safety is having nodes enrolled in the stable channel with automatic updates enabled. If you pinned a specific image version for consistency, this is a good moment to re-evaluate — security-only patch releases are exactly the scenario the auto-update mechanism is designed for. Check your Container Linux Config or Butane spec to ensure the update strategy isn't set to 'off'.

Key changes (4)

  • Linux kernel updated from previous stable to 6.12.91 (incorporating 6.12.88 through 6.12.91 changes)
  • 50+ CVEs addressed in the Linux kernel, spanning networking, drivers, and subsystem components
  • ca-certificates updated to NSS 3.124, refreshing the trusted root CA bundle
  • No userspace or configuration changes — this is a kernel + cert update only