CRI-O
v1.33.12Kubernetes Corev1.33.12 patches CVE-2026-35469 via a spdystream dependency bump and adds a new min_injected_gomaxprocs option for controlling GOMAXPROCS floor in containers.
securityPatch CVE-2026-35469 — upgrade now
The spdystream dependency update addresses CVE-2026-35469. Since spdystream handles HTTP/2 multiplexing in CRI-O's communication paths, any cluster running v1.33.x should move to v1.33.12 promptly. Check your vulnerability scanner results for this CVE and treat this as a routine security patch cycle rather than waiting for your next maintenance window.
enhancementUse min_injected_gomaxprocs to prevent CPU underutilization in Go workloads
Go runtimes default GOMAXPROCS to the number of logical CPUs on the node, which causes goroutine scheduling inefficiency when containers have small cpu.request values. This new option lets you set a floor (e.g., 2 or 4) so containers don't get starved of OS threads. It only applies to Burstable and BestEffort pods — Guaranteed QoS pods and partitioned workloads are unaffected. Start by auditing Go-based workloads in your cluster that run with low cpu.request; set min_injected_gomaxprocs conservatively and monitor goroutine behavior before widening the floor.
主な変更 (4)
- CVE-2026-35469 fixed by updating moby/spdystream from v0.5.0 to v0.5.1
- New min_injected_gomaxprocs config option sets a GOMAXPROCS floor for all containers CRI-O creates
- GOMAXPROCS injection logic: CRI-O injects max(floor, cpu.request), but only for non-Guaranteed QoS pods or partitioned workloads
- Guaranteed QoS pods and partitioned workloads are excluded from the GOMAXPROCS injection behavior