Alibaba Cloud Linux 4 release notes

Kernel

1. New features

   1. Kernel baseline upgraded from nvidia-6.8 to nvidia-6.17, introducing extensive upstream features and fixes.

   2. CXL Type-2 device support: added RAS error handling, CXL reset, state save/restore, and interleaving support.

   3. Network RSS + crypto offload optimization: refactored the xfrm_input locking mechanism to reduce lock contention in RSS scenarios.

   4. ETH driver small-queue memory allocation optimization: page_pool allocation cache scales with PAGE_SIZE.

   5. RDMA/core: fixed stale RoCE GID issue caused by netdev events during registration.

   6. Live Firmware Activation (LFA) support: improved LFA_BUSY handling and SMC retry pacing.

   7. Tegra BPMP ACPI + SoC Hub MBWT sysfs driver support (T410/NVL72).

   8. fs: enables fine-grained control over folio size.

2. Compatibility: kernel baseline upgraded from 6.8 to 6.17. Not compatible with the previous 6.8.0-1036-aiext version; requires recompilation with the new kmod-fuse and OOT drivers.

3. Stability

   1. Fixed nic-drivers-mellanox-rdma OOT module compilation failure caused by CXL/FWCTL configuration: disabled CONFIG_CXL_FEATURES and CONFIG_FWCTL*.

   2. Removed the mlx5_dpll.ko.zst module file to fix in-tree vs. OOT driver conflicts: disabled CONFIG_MLX5_DPLL.

   3. Reverted net: virtio_net: implement exact header length guest feature to fix virtual network compatibility issues.

   4. Reverted virtio_pci: Support surprise removal of virtio pci device to avoid abnormal behavior in virtualization scenarios.

   5. crypto: algif_aead - restored out-of-place operation mode to fix encryption stability issues.

4. Security fixes

   1. Fixed security vulnerability CVE-2026-31431.

Image

1. System version updated to 4.2404.1 (ALINUX_UPDATE_ID="1").

2. Removed the /etc/modprobe.d/disable-algif_aead.conf file (CVE-2026-31431 is now fixed in the kernel; the workaround is no longer needed).

3. Removed plymouth graphical boot and its dependencies.

4. Added linux-firmware and firmware-sof-signed to resolve QAT identification issues.

5. kmod-fuse upgraded to 6.17.0-1017-aiext-1.0.5.4-3 (from 6.8.0-1036-aiext-1.0.5.2-2).

6. crashkernel parameter change: 64G-:512M changed to 64G-512G:512M,512G-:1G. crashkernel allocation is increased for high-memory scenarios.

Kernel

Kernel upgraded from kernel-6.6.102-5.2.alnx4 to kernel-6.6.102-5.3.alnx4.

Performance optimization

• Added SCHED_MM_CID kernel boot parameter control. Disabled by default to reduce scheduler overhead and improve general workload and microbenchmark performance.

• Throttled tg->load_avg update frequency (at most once per 1ms), aligned with the PELT time window to significantly reduce lock contention and restore CPU selection accuracy.

New features

New components

• Added component openjph (openjph-0.26.0-1.alnx4). Upgraded OpenEXR to 3.4.4-1 to fix CVE-2025-12840. Available in yum repo.

• Added component traceroute (traceroute-2.1.6-1.alnx4). Previously missing from alinux4 repo, causing some network-related tests to fail. Available in yum repo.

• Added component ossfs (ossfs-1.91.9-1.alnx4). Updated ossfs 1.0 to 1.91.9. Available in yum repo.

• Added component ossfs2 (ossfs2-2.0.6-1.alnx4). Available in yum repo.

• Added component update-motd (update-motd-1.1.2-1.alnx4). Fixed CheckMotd E2E test failure on Alinux4.0 public cloud ECS images. Updated in image.

Feature updates

• alinux-release updated from alinux-release-4-12.alnx4 to alinux-release-4-13.alnx4. Released Alinux 4.0.3 and Pro edition. Updated in image.

• gcc updated from gcc-12.3.0-14.alnx4 to gcc-12.3.0-15.alnx4. Improved Unixbench dhry2reg performance by 5%. Updated in image.

• ras-tools updated from ras-tools-0.1-1.alnx4 to ras-tools-0.2-1.alnx4. Available in yum repo.

• util-linux updated from util-linux-2.39.1-7.alnx4 to util-linux-2.39.1-7.1.alnx4. Enabled fstrim service in ECS images. Updated in image.

• containerd updated from containerd-1.7.29-1.alnx4 to containerd-1.7.29-2.alnx4. Added LoongArch64 architecture support. Available in yum repo.

• containernetworking-plugins updated from containernetworking-plugins-1.2.0-3.alnx4 to containernetworking-plugins-1.3.0-1.alnx4. Required by kata 3.13 upgrade. Available in yum repo.

• java-1.8.0-alibaba-dragonwell updated from java-1.8.0-alibaba-dragonwell-8.15.16.372-2.alnx4 to java-1.8.0-alibaba-dragonwell-8.24.23.442-1.alnx4. Available in yum repo.

• libuv updated from libuv-1.49.2-1.alnx4 to libuv-1.51.0-1.alnx4. Upgraded to 1.51.0 to support Node.js 22.22.0 and skipped UDP multicast test on RISC-V64. Available in yum repo.

• llvm18 updated from llvm18-18.1.8-2.alnx4 to llvm18-18.1.8-3.alnx4. Added SW64 architecture support. Available in yum repo.

• nodejs updated from nodejs-22.16.0-1.alnx4 to nodejs-22.16.0-3.alnx4. Added RISC-V64 and LoongArch64 architecture support, added V8 distribution, added SQLite source package link, and removed unused code. Available in yum repo.

• protobuf-c updated from protobuf-c-1.4.1-3.alnx4 to protobuf-c-1.4.1-4.alnx4. Added protobuf 25.1 support, removed obsolete conditional compilation macros, updated dependency version requirements, and fixed compatibility issues with newer protobuf versions. Available in yum repo.

• python-sympy updated from python-sympy-1.11.1-2.alnx4 to python-sympy-1.13.3-1.alnx4. Updated to 1.13.1 for PyTorch 2.8.0. Available in yum repo.

• qemu updated from qemu-8.2.0-37.alnx4 to qemu-8.2.0-39.alnx4. Added CSV3 VM fine-grained shared memory management support and related fixes, added Dhyana-v4 CPU model for i386 architecture. Available in yum repo.

• rust updated from rust-1.84.1-4.alnx4 to rust-1.86.0-1.alnx4. Version upgrade. Available in yum repo.

• spirv-headers updated from spirv-headers-1.5.5-2.alnx4 to spirv-headers-1.5.5-3.alnx4. Updated to 1.4.321.0 SDK. Available in yum repo.

Other updates: rebuilds and dependency fixes

Rebuilt with webkitgtk-2.50.3. Updated in yum repo:

• devhelp updated from devhelp-43.0-2.alnx4 to devhelp-43.0-3.alnx4

• glade updated from glade-3.40.0-5.alnx4 to glade-3.40.0-6.alnx4

• yelp updated from yelp-42.2-5.alnx4 to yelp-42.2-6.alnx4

• gnome-boxes updated from gnome-boxes-44.1-1.alnx4 to gnome-boxes-44.1-2.alnx4

• evolution-data-server updated from evolution-data-server-3.48.1-1.alnx4 to evolution-data-server-3.48.1-2.alnx4

Rebuilt with ghostscript-10.06.0. Updated in yum repo:

• graphviz updated from graphviz-9.0.0-2.alnx4 to graphviz-9.0.0-3.alnx4

• libspectre updated from libspectre-0.2.12-1.alnx4 to libspectre-0.2.12-2.alnx4

• texlive-base updated from texlive-base-20220321-19.alnx4 to texlive-base-20220321-20.alnx4

Kernel CVE fixes:

Component	Alibaba Cloud Linux 4.0.2 version	Alibaba Cloud Linux 4.0.3 version	CVE ID	Description
kernel	kernel-6.6.102-5.2.alnx4	kernel-6.6.102-5.3.alnx4	CVE-2025-38248	Use-after-free in bridge multicast router port configuration
			CVE-2025-38502	Fixed out-of-bounds access in BPF cgroup local storage
			CVE-2025-38616	Use-after-free when TLS ULP underlying data is unexpectedly consumed
			CVE-2025-38678	nf_tables update does not reject duplicate devices, causing incomplete hook unregistration
			CVE-2025-39682	Improper handling of zero-length records on TLS rx_list, causing data corruption
			CVE-2025-39946	TLS does not abort the stream on malformed headers, potentially causing skb space overflow
			CVE-2025-39964	af_alg socket allows concurrent writes, causing data interleaving and internal state inconsistency
			CVE-2025-40018	Use-after-free due to premature ip_vs_ftp unregistration during ipvs netns cleanup
			CVE-2025-40019	Missing ssize validation in crypto essiv module for decryption and in-place encryption paths
			CVE-2025-40214	Uninitialized scc_index in AF_UNIX GC, causing live socket receive queues to be incorrectly reclaimed
			CVE-2025-40215	Deleting SA in xfrm does not synchronously remove associated fallback tunnel, causing stale references to trigger warnings
			CVE-2025-40297	Use-after-free when deleting ports due to bridge MST port state bypass

BaseOS CVE fixes:

Component	Alibaba Cloud Linux 4.0.2 version	Alibaba Cloud Linux 4.0.3 version	CVE
ImageMagick	ImageMagick-7.1.2.8-1.alnx4	ImageMagick-7.1.2.15-1.alnx4	CVE-2025-68618 CVE-2026-22770 CVE-2026-23876 CVE-2026-23952 CVE-2026-30935 CVE-2026-30937 CVE-2026-28494 CVE-2026-30883 CVE-2026-28692 CVE-2026-28687 CVE-2026-28693 CVE-2026-28493 CVE-2026-28690 CVE-2026-31853 CVE-2026-27799 CVE-2026-25986 CVE-2026-25983 CVE-2026-25971 CVE-2026-25797 CVE-2026-25967 CVE-2026-25970 CVE-2026-25969 CVE-2026-25988 CVE-2026-24485 CVE-2026-26284 CVE-2026-25799 CVE-2026-26066 CVE-2026-25966 CVE-2026-24484 CVE-2026-24481 CVE-2026-25796 CVE-2026-25794 CVE-2026-25798 CVE-2026-25637 CVE-2026-25576
NetworkManager	NetworkManager-1.44.2-4.alnx4	NetworkManager-1.44.2-5.alnx4	CVE-2025-9615
OpenEXR	OpenEXR-3.1.6-8.alnx4	OpenEXR-3.4.4-2.alnx4	CVE-2025-12840
alsa-lib	alsa-lib-1.2.9-1.alnx4	alsa-lib-1.2.9-2.alnx4	CVE-2026-25068
arm-trusted-firmware	arm-trusted-firmware-2.12.1-1.alnx4	arm-trusted-firmware-2.12.1-2.alnx4	CVE-2024-7881
avahi	avahi-0.8-8.alnx4	avahi-0.8-10.alnx4	CVE-2025-68471 CVE-2025-68468 CVE-2025-68276 CVE-2026-24401
binutils	binutils-2.41-13.alnx4	binutils-2.41-14.alnx4	CVE-2025-11083
capstone	capstone-4.0.2-4.alnx4	capstone-4.0.2-6.alnx4	CVE-2025-67873 CVE-2025-68114
composer	composer-2.7.1-4.alnx4	composer-2.7.1-5.alnx4	CVE-2025-67746
curl	curl-8.4.0-12.alnx4	curl-8.4.0-13.alnx4	CVE-2025-14524 CVE-2025-15224 CVE-2025-14819 CVE-2025-14017 CVE-2025-15079 CVE-2025-10966
edk2	edk2-202402-21.alnx4	edk2-202402-24.alnx4	CVE-2025-3770 CVE-2024-38798
expat	expat-2.5.0-8.alnx4	expat-2.5.0-11.alnx4	CVE-2026-24515 CVE-2026-25210 CVE-2026-32776 CVE-2026-32777
firefox	firefox-140.5.0-1.alnx4	firefox-140.8.0-1.alnx4	CVE-2025-14321 CVE-2025-14322 CVE-2025-14323 CVE-2025-14324 CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330 CVE-2025-14331 CVE-2025-14333 CVE-2026-0887 CVE-2026-0886 CVE-2026-0890 CVE-2026-0880 CVE-2026-0885 CVE-2026-0878 CVE-2025-14327 CVE-2026-0882 CVE-2026-0879 CVE-2026-0877 CVE-2026-0884 CVE-2026-0883 CVE-2026-0891 CVE-2026-0892 CVE-2025-6965 CVE-2026-2766 CVE-2026-2783 CVE-2026-2779 CVE-2026-2773 CVE-2026-2776 CVE-2026-2782 CVE-2026-2807 CVE-2026-2804 CVE-2026-2763 CVE-2026-2805 CVE-2026-2803
fonttools	fonttools-4.57.0-1.alnx4	fonttools-4.61.0-1.alnx4	CVE-2025-66034
ghostscript	ghostscript-10.05.1-5.alnx4	ghostscript-10.06.0-1.alnx4	CVE-2025-59801
gi-docgen	gi-docgen-2023.1-3.alnx4	gi-docgen-2023.1-4.alnx4	CVE-2025-11687
giflib	giflib-5.2.2-2.alnx4	giflib-5.2.2-3.alnx4	CVE-2026-23868
glib2	glib2-2.78.3-9.alnx4	glib2-2.78.3-11.alnx4	CVE-2025-14087 CVE-2025-14512 CVE-2026-0988 CVE-2026-1489 CVE-2026-1485 CVE-2026-1484
glibc	glibc-2.38-16.alnx4	glibc-2.38-17.2.alnx4	CVE-2026-0915 CVE-2025-15281 CVE-2024-33599 CVE-2026-0861 CVE-2024-33600
gnupg2	gnupg2-2.4.3-3.alnx4	gnupg2-2.4.3-5.alnx4	CVE-2025-68973 CVE-2026-24882
go-rpm-macros	go-rpm-macros-3.6.0-2.alnx4	go-rpm-macros-3.6.0-4.alnx4	CVE-2025-61726
golang	golang-1.24.11-1.alnx4	golang-1.24.13-1.alnx4	CVE-2025-68121 CVE-2025-61728 CVE-2025-61731
gvfs	gvfs-1.54.4-2.alnx4	gvfs-1.54.4-3.alnx4	CVE-2026-28295
haproxy	haproxy-3.0.5-3.alnx4	haproxy-3.2.0-1.alnx4	CVE-2025-59303
harfbuzz	harfbuzz-8.4.0-1.alnx4	harfbuzz-8.4.0-2.alnx4	CVE-2026-22693
jupyterlab	jupyterlab-4.3.2-1.alnx4	jupyterlab-4.4.8-1.alnx4	CVE-2024-43805 CVE-2025-59842
libarchive	libarchive-3.7.1-9.alnx4	libarchive-3.7.1-10.alnx4	CVE-2026-4111
libnbd	libnbd-1.20.3-1.alnx4	libnbd-1.22.5-1.alnx4	CVE-2025-14946
libpcap	libpcap-1.10.4-2.alnx4	libpcap-1.10.4-4.alnx4	CVE-2025-11961
libpng	libpng-1.6.40-3.alnx4	libpng-1.6.40-5.alnx4	CVE-2026-22801 CVE-2026-25646
librsvg2	librsvg2-2.57.1-1.alnx4	librsvg2-2.57.4-2.alnx4	CVE-2024-12224
libsndfile	libsndfile-1.2.2-1.alnx4	libsndfile-1.2.2-2.alnx4	CVE-2025-56226
libsodium	libsodium-1.0.18-1.alnx4	libsodium-1.0.18-4.alnx4	CVE-2025-69277 CVE-2025-15444
libsoup	libsoup-2.74.3-19.alnx4	libsoup-2.74.3-23.alnx4	CVE-2026-1539 CVE-2025-14523 CVE-2026-1801 CVE-2026-1760 CVE-2026-2369 CVE-2026-1761
libsoup3	libsoup3-3.6.5-5.alnx4	libsoup3-3.6.5-6.alnx4	CVE-2025-12105
libssh	libssh-0.10.5-12.alnx4	libssh-0.10.5-13.alnx4	CVE-2026-0967 CVE-2026-0968 CVE-2026-0966 CVE-2026-0964
libtasn1	libtasn1-4.19.0-3.alnx4	libtasn1-4.19.0-5.alnx4	CVE-2025-13151
libvpx	libvpx-1.14.1-1.alnx4	libvpx-1.14.1-3.alnx4	CVE-2025-5283 CVE-2026-2447
libxml2	libxml2-2.11.5-15.alnx4	libxml2-2.11.5-17.alnx4	CVE-2026-1757 CVE-2026-0992 CVE-2026-0990
libxslt	libxslt-1.1.43-3.alnx4	libxslt-1.1.43-4.alnx4	CVE-2025-7424
linux-firmware	linux-firmware-20250311-1.alnx4	linux-firmware-20260110-1.alnx4	CVE-2024-36357
munge	munge-0.5.15-1.alnx4	munge-0.5.15-2.alnx4	CVE-2026-25506
mupdf	mupdf-1.25.0-4.alnx4	mupdf-1.25.0-5.alnx4	CVE-2026-25556
mysql	mysql-8.0.44-1.alnx4	mysql-8.0.45-1.alnx4	CVE-2026-21964 CVE-2026-21937 CVE-2026-21948 CVE-2026-21941 CVE-2026-21968 CVE-2026-21936
net-snmp	net-snmp-5.9.4-1.alnx4	net-snmp-5.9.4-2.alnx4	CVE-2025-68615
nss	nss-3.112-1.alnx4	nss-3.112-2.alnx4	CVE-2026-2781
ocaml	ocaml-4.14.0-3.alnx4	ocaml-4.14.0-4.alnx4	CVE-2026-28364 CVE-2025-69194
openldap	openldap-2.6.5-1.alnx4	openldap-2.6.5-2.alnx4	CVE-2026-22185
openssl	openssl-3.0.12-16.alnx4	openssl-3.0.12-18.alnx4	CVE-2025-69420 CVE-2025-69419 CVE-2026-22795 CVE-2026-22796 CVE-2025-68160 CVE-2025-69418 CVE-2025-69421 CVE-2025-15467
openssl1.1	openssl1.1-1.1.1q-8.alnx4	openssl1.1-1.1.1q-11.alnx4	CVE-2025-69418 CVE-2025-69419 CVE-2025-69420 CVE-2024-5535
php	php-8.3.19-2.alnx4	php-8.3.29-1.alnx4	CVE-2025-14178 CVE-2025-14180 CVE-2025-14177
postgresql	postgresql-15.15-1.alnx4	postgresql-15.16-1.alnx4	CVE-2026-2004 CVE-2026-2006 CVE-2026-2003 CVE-2026-2005
python-aiohttp	python-aiohttp-3.9.5-2.alnx4	python-aiohttp-3.9.5-4.alnx4	CVE-2025-69228 CVE-2025-69227 CVE-2025-69225 CVE-2025-69229
python-cryptography	python-cryptography-42.0.5-2.alnx4	python-cryptography-42.0.5-3.alnx4	CVE-2026-26007
python-filelock	python-filelock-3.13.0-1.alnx4	python-filelock-3.13.0-2.alnx4	CVE-2026-22701 CVE-2025-68146
python-multipart	python-multipart-0.0.20-1.alnx4	python-multipart-0.0.22-1.alnx4	CVE-2026-24486
python-pillow	python-pillow-10.3.0-1.alnx4	python-pillow-10.3.0-2.alnx4	CVE-2026-25990
python-pip	python-pip-23.3.1-4.alnx4	python-pip-23.3.1-5.alnx4	CVE-2026-1703
python-ply	python-ply-3.11-6.alnx4	python-ply-3.11-7.alnx4	CVE-2025-56005
python-pyasn1	python-pyasn1-0.4.8-2.alnx4	python-pyasn1-0.6.2-2.alnx4	CVE-2026-23490
python-starlette	python-starlette-0.46.2-1.alnx4	python-starlette-0.49.1-1.alnx4	CVE-2025-62727
python-tornado	python-tornado-6.4.2-3.alnx4	python-tornado-6.5.2-1.alnx4	CVE-2025-67724
python-unicodedata2	python-unicodedata2-15.1.0-2.alnx4	python-unicodedata2-17.0.0-2.alnx4	CVE-2025-66034
python-urllib3	python-urllib3-1.26.19-3.alnx4	python-urllib3-1.26.19-5.alnx4	CVE-2026-21441 CVE-2025-66471
python-virtualenv	python-virtualenv-20.28.0-1.alnx4	python-virtualenv-20.28.0-2.alnx4	CVE-2026-22702
python3.11	python3.11-3.11.6-11.alnx4	python3.11-3.11.6-16.alnx4	CVE-2025-13836 CVE-2025-13837 CVE-2025-15367 CVE-2025-15366 CVE-2026-0672 CVE-2026-1299 CVE-2026-0865 CVE-2025-15282
pytorch		pytorch-2.8.0-3.alnx4	CVE-2025-55557 CVE-2025-55553 CVE-2025-55560 CVE-2025-2999 CVE-2025-46148 CVE-2025-55558 CVE-2025-63396 CVE-2025-32434 CVE-2026-24747
ruby	ruby-3.3.9-5.alnx4	ruby-3.3.9-6.alnx4	CVE-2025-58767
skopeo	skopeo-1.17.0-2.alnx4	skopeo-1.17.0-3.alnx4	CVE-2025-58183
tar	tar-1.35-1.alnx4	tar-1.35-2.alnx4	CVE-2025-45582
tracker-miners	tracker-miners-3.5.4-1.alnx4	tracker-miners-3.5.4-2.alnx4	CVE-2026-1767 CVE-2026-1765
vim	vim-9.0.2092-8.alnx4	vim-9.0.2092-10.alnx4	CVE-2026-28420 CVE-2026-25749 CVE-2026-26269 CVE-2026-28418 CVE-2026-28422 CVE-2026-28421 CVE-2026-28419
webkitgtk	webkitgtk-2.48.5-1.alnx4	webkitgtk-2.50.4-1.alnx4	CVE-2025-43434 CVE-2025-43419 CVE-2025-43440 CVE-2025-43392 CVE-2025-43427 CVE-2025-43431 CVE-2025-43443 CVE-2025-13502 CVE-2025-43425 CVE-2025-13947 CVE-2025-66287 CVE-2025-43430 CVE-2025-43429 CVE-2025-43541 CVE-2025-43529 CVE-2025-14174 CVE-2025-43535 CVE-2025-43536 CVE-2025-43531 CVE-2025-43501
wireshark	wireshark-4.4.9-4.alnx4	wireshark-4.4.9-6.alnx4	CVE-2026-0959 CVE-2026-3201 CVE-2026-3203 CVE-2026-0961 CVE-2026-0962
xorg-x11-server	xorg-x11-server-1.20.14-16.alnx4	xorg-x11-server-1.20.14-17.alnx4	CVE-2023-6816
xpdf	xpdf-4.05-2.alnx4	xpdf-4.06-1.alnx4	CVE-2024-2971 CVE-2024-3900 CVE-2025-3154 CVE-2024-7868 CVE-2024-4141 CVE-2025-2574 CVE-2024-3248 CVE-2025-11896 CVE-2024-4568 CVE-2024-4976 CVE-2024-7866 CVE-2024-7867 CVE-2024-3247
xrdp	xrdp-0.9.23.1-2.alnx4	xrdp-0.9.23.1-3.alnx4	CVE-2025-68670
zlib	zlib-1.2.13-3.alnx4	zlib-1.2.13-5.alnx4	CVE-2026-27171

• Key kernel bug fixes

  • Fixed index alignment error in shmem huge page allocation fallback loop to prevent returning incorrect folio and user-space data corruption.

  • Fixed multiple mTHP swapin race conditions in shmem/swap paths to resolve softlockup and potential system hang.

  • Fixed soft lockup triggered by mprotect on large hugetlb memory regions.

  • Fixed schedule-while-atomic BUG and RCU warning in scheduler CPU dynamic isolation.

  • Fixed task_struct leak, ineffective eviction, and hard lockup caused by DELAY_DEQUEUE conflict related to IDPUSHEXPELLEE / ID_ABSOLUTE_EXPEL.

  • Fixed kernel panic caused by BPF LSM program returning illegal values.

  • Fixed slab reclamation underperformance during shrink_slab.

• BaseOS bug fixes

  • alinux-base-setup updated from alinux-base-setup-4.1-7.alnx4 to alinux-base-setup-4.1-11.alnx4. Fixed dmesg warning logs and SSH connection failure when SELINUX is set to enforcing. Added two cmdline parameters (intel_idle.max_cstate=1 and processor.max_cstate=1) to improve post-boot Unixbench performance. Updated in image.

  • audit updated from audit-3.1.2-4.alnx4 to audit-3.1.2-5.alnx4. Fixed field error in spec file. Updated in image.

  • numactl updated from numactl-2.0.16-2.alnx4 to numactl-2.0.16-3.alnx4. Fixed numactl command not supporting --version. Updated in image.

  • numad updated from numad-0.5-1.20150602git.alnx4 to numad-0.5-2.20150602git.alnx4. Fixed -m parameter error. Available in yum repo.

  • brotli updated from brotli-1.1.0-1.alnx4 to brotli-1.1.0-3.alnx4. Backported Python output buffer limit tests and added tests for Decompressor methods. Updated in image.

  • moby updated from moby-24.0.9-8.alnx4 to moby-28.3.3-2.alnx4. Removed docker-ce dependency. Available in yum repo.

  • e2fsprogs updated from e2fsprogs-1.47.0-2.alnx4 to e2fsprogs-1.47.0-3.alnx4. Fixed reboot failure after installing development tools on Alinux 4. Updated in image.

Kernel

The Kernel is updated tokernel-6.6.102-5.2.alnx4.

Memory

• Fixes the tmpfs Large Page allocation policy to ensure compatibility with previous versions.

• Adds an atomic mode for RSS stats collection.

• Optimizes maple tree copying and VMA (virtual memory area) replacement in dup_mmap() to improve fork() performance.

• Backports optimization patches for vfs and ext4 block allocation from the upstream community to enhance performance in specific scenarios.

Other BaseOS updates

• Breaking changes with controlled impact:

  • The default root file system for images continues to be ext4. After a comprehensive evaluation, Alinux 4, starting with version 4.0.2, will continue to use ext4 as the default root file system, consistent with Alinux 3, and will no longer use xfs. This decision is based on several key factors: ext4 has demonstrated higher stability in long-term production environments and through maintenance in the community's stable branch, delivered better performance in certain key scenarios, and provided a smoother migration path for users of Alinux 3 and earlier versions. Additionally, with the latest ANCK-6.6 Kernel's native support for ext4 Large folio, ext4's capabilities for Large Page memory usage are now comparable to those of xfs. This change is transparent to most users and does not affect daily use or O&M experience.

  • The auditd service starts automatically on boot. Thealinux-base-setup package is updated from alinux-base-setup-4.1-6.alnx4 to alinux-base-setup-4.1-7.alnx4, adding a configuration to enable the auditd service at boot. This provides continuous security monitoring and reliable data support for troubleshooting, compliance auditing, and security protection. The configuration uses-a task,never, which prevents the recording of audit events related to process creation or execution. This conserves system resources, prevents system overload, and ensures a controlled impact.

• New features:

  • New distributed middleware components. Adds the rabbitmq-server component (rabbitmq-server-3.13.0-1.alnx4) and its runtime dependencies (erlang-26.2.5.15-2.alnx4, wxGTK3-3.2.4-1.alnx4, erlang-rpm-macros-0.3.6-1.alnx4, elixir-1.16.1-1.alnx4, erlang-rebar-2.6.1-1.alnx4, python-httpbin-0.7.0-1.alnx4, and python-raven-6.10.0-1.alnx4). These components provide a distributed message queue service to enhance ecosystem support.

• Enhancements:

  • The qemu component is updated from qemu-8.2.0-34.alnx4 to qemu-8.2.0-36.alnx4. This update fixes an initialization issue in the VFIO HCT module, updates ACPI tables for RISC-V virtual machines to support new hardware features (such as SRAT, SLIT, PLIC, APLIC, and IMSIC), optimizes memory management, enhances security to prevent ROP attacks, and improves code reusability.

  • erofs-utils is updated from erofs-utils-1.8.4-1.alnx4 to erofs-utils-1.8.10-1.alnx4. This update optimizes build performance for-Efragments and-Eall-fragments and further enhances mkfs.erofs metadata build performance. dump.erofs supports outputting file content with the--cat option, and tarerofs adds support for pre-1970 timestamps. Several stability bug fixes are also included.

  • glibc is updated from glibc-2.38-13.alnx4 to glibc-2.38-16.alnx4, enhancing system performance by changing the memory allocation policy and adjusting default thresholds.

  • alinux-release is updated from alinux-release-4-11.alnx4 to alinux-release-4-12.alnx4 to mark the release of Alinux 4.0.2.

CVE ID	Severity	Affected component
CVE-2025-10230	Critical	samba
CVE-2025-9640	High	samba
CVE-2025-8677	High	bind
CVE-2025-8067	High	udisks2
CVE-2025-66293	High	libpng
CVE-2025-64459	High	python-django
CVE-2025-64458	High	python-django
CVE-2025-6395	High	gnutls
CVE-2025-62168	High	squid
CVE-2025-6020	High	pam
CVE-2025-5994	High	unbound
CVE-2025-59682	High	python-django
CVE-2025-59681	High	python-django
CVE-2025-59088	High	python-kdcproxy
CVE-2025-58098	High	httpd
CVE-2025-57833	High	python-django
CVE-2025-57803	High	ImageMagick
CVE-2025-55780	High	mupdf
CVE-2025-55753	High	httpd
CVE-2025-55752	High	tomcat
CVE-2025-55298	High	ImageMagick
CVE-2025-55154	High	ImageMagick
CVE-2025-52881	High	runc
CVE-2025-50420	High	poppler
CVE-2025-49844	High	redis
CVE-2025-49809	High	mtr
CVE-2025-48989	High	tomcat
CVE-2025-40908	High	perl-YAML-LibYAML
CVE-2025-40780	High	bind
CVE-2025-40778	High	bind
CVE-2025-31133	High	runc
CVE-2025-26625	High	git-lfs
CVE-2025-13699	High	mariadb
CVE-2025-13016	High	firefox
CVE-2025-13012	High	firefox
CVE-2025-11715	High	firefox
CVE-2025-11714	High	firefox
CVE-2025-11711	High	firefox
CVE-2025-11710	High	firefox
CVE-2025-11709	High	firefox
CVE-2025-11708	High	firefox
CVE-2025-11561	High	sssd
CVE-2025-11230	High	haproxy
CVE-2025-11021	High	libsoup3
CVE-2025-11021	High	libsoup
CVE-2025-0686	High	grub2
CVE-2025-0624	High	grub2
CVE-2024-45779	High	grub2
CVE-2024-4467	High	qemu
CVE-2024-31082	High	tigervnc
CVE-2024-31082	High	xorg-x11-server
CVE-2024-25621	High	containerd
CVE-2024-10963	High	pam
CVE-2023-50387	High	systemd
CVE-2025-14330	High	firefox
CVE-2025-14324	High	firefox
CVE-2025-14321	High	firefox
CVE-2025-9230	Medium	openssl
CVE-2025-8291	Medium	python3.11
CVE-2025-8114	Medium	libssh
CVE-2025-7462	Medium	ghostscript
CVE-2025-7345	Medium	gdk-pixbuf2
CVE-2025-66004	Medium	usbmuxd
CVE-2025-65018	Medium	libpng
CVE-2025-64506	Medium	libpng
CVE-2025-64505	Medium	libpng
CVE-2025-64329	Medium	containerd
CVE-2025-64181	Medium	OpenEXR
CVE-2025-62689	Medium	libmicrohttpd
CVE-2025-62594	Medium	ImageMagick
CVE-2025-62231	Medium	xorg-x11-server-Xwayland
CVE-2025-62231	Medium	tigervnc
CVE-2025-62231	Medium	xorg-x11-server
CVE-2025-62230	Medium	xorg-x11-server-Xwayland
CVE-2025-62230	Medium	tigervnc
CVE-2025-62230	Medium	xorg-x11-server
CVE-2025-62229	Medium	xorg-x11-server-Xwayland
CVE-2025-62229	Medium	tigervnc
CVE-2025-62229	Medium	xorg-x11-server
CVE-2025-62171	Medium	ImageMagick
CVE-2025-61985	Medium	openssh
CVE-2025-61984	Medium	openssh
CVE-2025-61915	Medium	cups
CVE-2025-61723	Medium	golang
CVE-2025-61664	Medium	grub2
CVE-2025-61663	Medium	grub2
CVE-2025-61662	Medium	grub2
CVE-2025-61661	Medium	grub2
CVE-2025-60753	Medium	libarchive
CVE-2025-59800	Medium	ghostscript
CVE-2025-59799	Medium	ghostscript
CVE-2025-59798	Medium	ghostscript
CVE-2025-59777	Medium	libmicrohttpd
CVE-2025-59362	Medium	squid
CVE-2025-59089	Medium	python-kdcproxy
CVE-2025-58436	Medium	cups
CVE-2025-58189	Medium	golang
CVE-2025-58188	Medium	golang
CVE-2025-58185	Medium	golang
CVE-2025-58183	Medium	golang
CVE-2025-58068	Medium	python-eventlet
CVE-2025-57812	Medium	libcupsfilters
CVE-2025-57807	Medium	ImageMagick
CVE-2025-54771	Medium	grub2
CVE-2025-54770	Medium	grub2
CVE-2025-5455	Medium	qt5-qtbase
CVE-2025-53101	Medium	ImageMagick
CVE-2025-53069	Medium	mysql
CVE-2025-53062	Medium	mysql
CVE-2025-53054	Medium	mysql
CVE-2025-53053	Medium	mysql
CVE-2025-53045	Medium	mysql
CVE-2025-53044	Medium	mysql
CVE-2025-53042	Medium	mysql
CVE-2025-53040	Medium	mysql
CVE-2025-52886	Medium	poppler
CVE-2025-52885	Medium	poppler
CVE-2025-5222	Medium	icu
CVE-2025-5187	Medium	kubernetes
CVE-2025-50949	Medium	fontforge
CVE-2025-47906	Medium	golang
CVE-2025-47219	Medium	gstreamer1-plugins-good
CVE-2025-47183	Medium	gstreamer1-plugins-good
CVE-2025-46819	Medium	redis
CVE-2025-46818	Medium	redis
CVE-2025-46817	Medium	redis
CVE-2025-4673	Medium	golang
CVE-2025-46400	Medium	transfig
CVE-2025-4432	Medium	rust
CVE-2025-40929	Medium	perl-Cpanel-JSON-XS
CVE-2025-32990	Medium	gnutls
CVE-2025-32989	Medium	gnutls
CVE-2025-32988	Medium	gnutls
CVE-2025-32464	Medium	haproxy
CVE-2025-24495	Medium	microcode_ctl
CVE-2025-23050	Medium	qt5-qtconnectivity
CVE-2025-21490	Medium	mysql
CVE-2025-20623	Medium	microcode_ctl
CVE-2025-20103	Medium	microcode_ctl
CVE-2025-20054	Medium	microcode_ctl
CVE-2025-20012	Medium	microcode_ctl
CVE-2025-14104	Medium	util-linux
CVE-2025-13946	Medium	wireshark
CVE-2025-13601	Medium	glib2
CVE-2025-13499	Medium	wireshark
CVE-2025-13193	Medium	libvirt
CVE-2025-13020	Medium	firefox
CVE-2025-13019	Medium	firefox
CVE-2025-13018	Medium	firefox
CVE-2025-13017	Medium	firefox
CVE-2025-13014	Medium	firefox
CVE-2025-13013	Medium	firefox
CVE-2025-12818	Medium	postgresql
CVE-2025-12818	Medium	libpq
CVE-2025-12748	Medium	libvirt
CVE-2025-11712	Medium	firefox
CVE-2025-11683	Medium	perl-YAML-Syck
CVE-2025-11626	Medium	wireshark
CVE-2025-11568	Medium	luksmeta
CVE-2025-11411	Medium	unbound
CVE-2025-1125	Medium	grub2
CVE-2025-1118	Medium	grub2
CVE-2025-11082	Medium	gdb
CVE-2025-10911	Medium	libxslt
CVE-2025-10158	Medium	rsync
CVE-2025-0838	Medium	abseil-cpp
CVE-2025-0690	Medium	grub2
CVE-2025-0689	Medium	grub2
CVE-2025-0685	Medium	grub2
CVE-2025-0678	Medium	grub2
CVE-2025-0677	Medium	grub2
CVE-2025-0622	Medium	grub2
CVE-2024-8176	Medium	xmlrpc-c
CVE-2024-56738	Medium	grub2
CVE-2024-56737	Medium	grub2
CVE-2024-47081	Medium	python-pip
CVE-2024-45783	Medium	grub2
CVE-2024-45782	Medium	grub2
CVE-2024-45781	Medium	grub2
CVE-2024-45780	Medium	grub2
CVE-2024-45778	Medium	grub2
CVE-2024-45777	Medium	grub2
CVE-2024-45776	Medium	grub2
CVE-2024-45775	Medium	grub2
CVE-2024-45774	Medium	grub2
CVE-2024-45332	Medium	microcode_ctl
CVE-2024-43420	Medium	microcode_ctl
CVE-2024-38805	Medium	edk2
CVE-2024-28956	Medium	microcode_ctl
CVE-2024-22365	Medium	pam
CVE-2024-12243	Medium	gnutls
CVE-2024-12133	Medium	libtasn1
CVE-2024-0567	Medium	gnutls
CVE-2024-0553	Medium	gnutls
CVE-2023-46048	Medium	texlive-base
CVE-2018-17828	Medium	zziplib
CVE-2025-9403	Low	jq
CVE-2025-9230	Low	openssl1.1
CVE-2025-8277	Low	libssh
CVE-2025-66418	Low	python-urllib3
CVE-2025-64720	Low	libpng
CVE-2025-64524	Low	cups-filters
CVE-2025-6199	Low	gdk-pixbuf2
CVE-2025-6075	Low	python3.10
CVE-2025-6075	Low	python3.11
CVE-2025-55212	Low	ImageMagick
CVE-2025-53019	Low	ImageMagick
CVE-2025-53014	Low	ImageMagick
CVE-2025-4945	Low	libsoup3
CVE-2025-4945	Low	libsoup
CVE-2025-46394	Low	busybox
CVE-2025-46393	Low	ImageMagick
CVE-2025-43965	Low	ImageMagick
CVE-2025-30258	Low	gnupg2
CVE-2025-13015	Low	firefox
CVE-2025-11731	Low	libxslt
CVE-2025-0684	Low	grub2
CVE-2024-58251	Low	busybox
CVE-2024-57360	Low	binutils
CVE-2024-25177	Low	luajit
CVE-2024-13176	Low	openssl

• Key fixes

  • Updated glibc from glibc-2.38-13.alnx4 to glibc-2.38-15.alnx4 to resolve a MySQL performance regression.

  • Updated kexec-tools from kexec-tools-2.0.26-10.alnx4 to kexec-tools-2.0.26-12.alnx4 to fix a vmcore generation failure on the x86 architecture for the ecs.ebmg8i.48xlarge instance type.

  • Updated python-blivet from python-blivet-3.10.0-2.alnx4 to python-blivet-3.10.0-3.alnx4 to fix a UUID error during ISO installation when multiple NVMe disks are present.

  • Updated systemd from systemd-255-9.alnx4 to systemd-255-12.alnx4, resolving a device recognition issue after hot-plugging and fixing a load failure of the sg driver module.

• General fixes:

  • Updated python-rtslib from python-rtslib-2.1.75-2.alnx4 to python-rtslib-2.1.75-3.alnx4, fixing an error in targetcli.

  • Updated libcgroup from libcgroup-3.0.0-2.alnx4 to libcgroup-3.1.0-2.alnx4 to align the package with its upstream version.

  • Updated gdm from gdm-44.1-3.alnx4 to gdm-44.1-4.alnx4, fixing a screen corruption issue on Inspur systems caused by a conflict between Inspur's proprietary HAM chip and Wayland.

• Miscellaneous updates and fixes:

  • Updated junit5 from junit5-5.10.2-1.alnx4 to junit5-5.10.2-2.alnx4, fixing an inconsistent source MD5 checksum.

  • Updated mariadb-connector-c from mariadb-connector-c-3.4.4-1.alnx4 to mariadb-connector-c-3.4.4-2.alnx4, fixing an inconsistent source MD5 checksum.

  • Updated inkscape from inkscape-1.4.2-1.alnx4 to inkscape-1.4.2-2.alnx4, rebuilt after an update to poppler.

  • Updated vala from vala-0.56.9-1.alnx4 to vala-0.56.17-1.alnx4, fixing a gtksourceview5 build failure.

  • Updated qemu from qemu-8.2.0-34.alnx4 to qemu-8.2.0-37.alnx4, adjusting the Obsoletes declaration to resolve upgrade errors caused by the removal of certain binary packages in newer versions.

  • Updated cups-filters from cups-filters-2.0.0-1.alnx4 to cups-filters-2.0.1-2.alnx4, adjusting the Obsoletes declaration to resolve upgrade errors caused by the removal of certain binary packages in newer versions.

See Known issues for Alibaba Cloud Linux 4.0.1.

Kernel 6.8.0-1036-aiext_6.8.0-1036.39.100

• New features

  • This update adds support for the large folio feature to address performance bottlenecks in CPFS-fuse.

• Compatibility

  • Based on nvidia-ubuntu version 1036.39.

  • Changes virtio-related kconfig options to m to simplify future stability fixes for virtio module issues.

• Stability

  • Fixed a virtio net hdrlen issue in DPU scenarios.

  • Fixed a vblk iohang issue in DPU scenarios.

1. Pre-installed kmod-fuse_6.8.0-1036-aiext-1.0.5.2-2 enhances support for fuse over io_uring mode and large folio, delivering performance of up to 1 million IOPS and 40 GB/s for cache read/write bandwidth.

2. Keentune 3.4.1-1, a proprietary Alibaba Cloud product that uses expert knowledge and AI algorithms to optimize performance for AI workloads, is pre-installed.

3. Memboost, a user mode memory optimization component available from the apt repository, uses configurable policies to balance memory performance, cost, and stability to help AI and high-concurrency workloads run efficiently.

Kernel

The kernel has been updated to kernel-6.6.102-5.alnx4.

• Memory

  • Enabled huge page optimization for code by default in the cmdline.

  • Optimized the mremap() system call.

  • Optimized the folio move system call.

  • Optimized contiguous PTE operations.

  • Optimized the creation of tmpfs huge page mappings.

  • Optimized the mincore() system call.

  • Fixed the check for shmem large-order support.

  • Enabled creation of the entire large mapping on a tmpfs fault.

  • Fixed a performance issue caused by a semantic change in huge=always.

  • Optimized the batch size for 64K kernel memory statistics.

  • Backported mTHP support for madvise_free.

  • Ported the low-power container feature.

• Architecture

  X86

  • Added support for EDAC, ISST, PMU-Core, PMU-Uncore, and PMU-CWF-events for the Intel CFW architecture.

  • Added support for AMD Fire Range CPUs.

  RISC-V

  • Added support for the rva23 mandatory instruction set.

  • Added support for multi-level page tables: SV32 (32-bit), SV39, SV48, and SV57 (64-bit).

  • Added support for HugeTLB and huge pages (NAPOT extension).

  • Added support for CPU hot-plug management through the SBI Hart State Management (HSM) extension.

  • Added support for atomic operation extensions (Zabha and Zacas).

  • Added support for the performance monitoring unit (PMU).

• CVE fixes

  • CVE-2024-56775: The AMD display driver failed to correctly maintain plane reference counts when backing up and restoring plane state. This failure can cause a memory leak or illegal memory access, affecting display system stability and performance.

  • CVE-2024-21927: The nvme driver did not validate the NVMe-over-TCP PDU header length.

  • CVE-2024-38264: The nvme-tcp driver did not validate the request list, potentially causing a request-processing loop.

  • CVE-2024-39702: The ipv6/sr module did not use constant-time comparison for MAC addresses.

  • CVE-2024-39711: A missing mei_cldev_disable call can cause a use-after-free vulnerability.

  • CVE-2024-39746: Improper handling of unreliable hardware conditions can cause a system crash.

  • CVE-2024-39790: Failure to detect an event pointing to an unexpected TRE can cause a buffer double-free.

  • CVE-2024-39833: Deleting an uninitialized timer could cause debug warnings and system instability.

  • CVE-2024-39866: The __mark_inode_dirty function contained a use-after-free vulnerability.

The BaseOS baseline for Alibaba Cloud Linux 4.0.1 is an updated release of Anolis OS 23.3.

• Switched the default file system in ECS environments from ext4 to xfs, which significantly improves performance with the 6.6 kernel.

• Switched the Docker provider to moby. The legacy docker component will no longer be updated but is retained in the repository. Its configuration prevents simultaneous installation with moby.

• Disabled the rpcbind service by default to reduce open ports and enhance the security of public images.

• Added the ossfs-1.91.7 component, a command-line interface (CLI) for Alibaba Cloud OSS. This tool mounts OSS buckets to your local file system, which simplifies object management and data sharing.

• Added vtoa-2.1.1, which lets an instance retrieve the client's real IP address in FullNAT scenarios.

• Added idlemd-2.5.2, a tool for monitoring and scheduling memory to manage idle resources.

• Added fuse317-3.17, which provides the latest community support for FUSE over io_uring. This version also introduces the usrbio engine to support interfaces similar to DeepSeek-3FS.

• Added tongsuo3-8.5.0 to support post-quantum cryptography and Guomi (Chinese commercial cryptographic algorithms).

Package name	CVE ID	Updated version
tigervnc	CVE-2024-21885, CVE-2025-49175, CVE-2025-49176, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180	tigervnc-1.13.1-5.alnx4
systemd	CVE-2025-4598	systemd-255-9.alnx4
redis	CVE-2025-27151, CVE-2025-32023, CVE-2025-48367	redis-7.2.10-1.alnx4
qemu	CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3567 CVE-2024-7409	qemu-8.2.0-34.alnx4
python-paramiko	CVE-2023-48795	python-paramiko-3.4.0-1.alnx4
postgresql	CVE-2025-4207, CVE-2025-8713, CVE-2025-8714, CVE-2025-8715	postgresql-15.14-1.alnx4
openssl1.1	CVE-2022-4450 CVE-2023-0215	openssl1.1-1.1.1q-7.alnx4
openssh	CVE-2024-39894, CVE-2024-6387, CVE-2025-26466	openssh-9.6p1-3.alnx4
openjpeg2	CVE-2023-39327, CVE-2023-39328, CVE-2025-54874	openjpeg2-2.5.3-2.alnx4
nginx	CVE-2025-23419, CVE-2025-53859	nginx-1.26.2-3.alnx4
libxml2	CVE-2025-24928, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170, CVE-2025-7425	libxml2-2.11.5-15.alnx4
libssh2	CVE-2023-48795	libssh2-1.11.0-3.alnx4
libssh	CVE-2025-5318, CVE-2025-5351, CVE-2025-5372, CVE-2025-5987	libssh-0.10.5-10.alnx4
krb5	CVE-2025-24528	krb5-1.21.2-5.alnx4
jupyterlab	CVE-2024-43805	jupyterlab-4.3.2-1.alnx4
httpd	CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020	httpd-2.4.64-1.alnx4
firefox	CVE-2025-0247, CVE-2025-1943, CVE-2025-4918, CVE-2025-5283, CVE-2025-6965, CVE-2025-8027, CVE-2025-8028, CVE-2025-8034, CVE-2025-8035, CVE-2025-9179, CVE-2025-9180, CVE-2025-9181, CVE-2025-9185	firefox-140.3.0-1.alnx4
expat	CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-50602, CVE-2024-8176	expat-2.5.0-6.alnx4
aide	CVE-2025-54389	aide-0.19.2-1.alnx4
NetworkManager	CVE-2024-3661 CVE-2024-6501	NetworkManager-1.44.2-4.alnx4
yasm	CVE-2023-31975, CVE-2024-22653	yasm-1.3.0-11.alnx4
xorg-x11-server-Xwayland	CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180	xorg-x11-server-Xwayland-23.2.5-4.alnx4
xorg-x11-server	CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180	xorg-x11-server-1.20.14-15.alnx4
unbound	CVE-2024-43167	unbound-1.17.1-7.alnx4
tomcat	CVE-2025-46701, CVE-2025-48988, CVE-2025-49125, CVE-2025-52434, CVE-2025-52520, CVE-2025-53506	tomcat-9.0.107-1.alnx4
sqlite	CVE-2025-6965	sqlite-3.42.0-5.alnx4
ruby	CVE-2025-25186 CVE-2025-27219 CVE-2025-27221	ruby-3.3.9-5.alnx4
python3.11	CVE-2023-27043 CVE-2024-0397 CVE-2024-0450 CVE-2024-3219 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2025-4516 CVE-2025-4517 CVE-2025-6069 CVE-2025-8194	python3.11-3.11.6-9.alnx4
python-virtualenv	CVE-2024-53899	python-virtualenv-20.28.0-1.alnx4
python-setuptools	CVE-2024-6345 CVE-2025-47273	python-setuptools-68.0.0-3.alnx4
python-black	CVE-2024-21503	python-black-24.3.0-1.alnx4
protobuf	CVE-2025-4565	protobuf-3.19.6-7.alnx4
polkit	CVE-2025-7519	polkit-123-2.alnx4
php	CVE-2024-11235, CVE-2025-1735, CVE-2025-6491	php-8.3.19-2.alnx4
perl	CVE-2024-56406, CVE-2025-40909	perl-5.36.3-18.alnx4
nodejs	CVE-2025-23084	nodejs-22.16.0-1.alnx4
ncurses	CVE-2025-6141	ncurses-6.4-5.20240127.alnx4
mercurial	CVE-2025-2361	mercurial-6.9.4-1.alnx4
libtiff	CVE-2025-8534	libtiff-4.7.1-1.alnx4
libsoup	CVE-2025-32052 CVE-2025-4476 CVE-2025-46421 CVE-2025-4948	libsoup-2.74.3-18.alnx4
libpq	CVE-2025-4207	libpq-15.13-1.alnx4
libarchive	CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918	libarchive-3.7.1-8.alnx4
keepalived	CVE-2024-41184	keepalived-2.3.2-1.alnx4
iputils	CVE-2025-47268 CVE-2025-48964	iputils-20221126-3.alnx4
iperf3	CVE-2025-54349 CVE-2025-54350	iperf3-3.19.1-1.alnx4
gstreamer1-plugins-bad-free	CVE-2025-3887 CVE-2025-6663	gstreamer1-plugins-bad-free-1.26.4-1.alnx4
gstreamer1	CVE-2025-6663	gstreamer1-1.26.4-1.alnx4
gnome-remote-desktop	CVE-2025-5024	gnome-remote-desktop-47.3-2.alnx4
gnome-control-center	CVE-2023-5616	gnome-control-center-47.3-1.alnx4
glibc	CVE-2025-8058	glibc-2.38-13.alnx4
glib2	CVE-2024-34397 CVE-2025-4056 CVE-2025-6052	glib2-2.78.3-8.alnx4
edk2	CVE-2024-1298, CVE-2024-38796, CVE-2024-38797	edk2-202402-19.alnx4
dpkg	CVE-2025-6297	dpkg-1.22.21-1.alnx4
djvulibre	CVE-2025-53367	djvulibre-3.5.28-4.alnx4
dav1d	CVE-2024-1580	dav1d-1.4.0-1.alnx4
coreutils	CVE-2024-0684 CVE-2025-5278	coreutils-9.4-6.alnx4
containerd	CVE-2024-40635	containerd-1.6.38-1.alnx4
ceph	CVE-2025-52555	ceph-18.2.1-5.alnx4
binutils	CVE-2024-53589 CVE-2025-3198 CVE-2025-5244 CVE-2025-5245 CVE-2025-7545 CVE-2025-7546	binutils-2.41-12.alnx4
augeas	CVE-2025-2588	augeas-1.14.2-2.alnx4
python-requests	CVE-2024-47081	python-requests-2.32.3-2.alnx4
fish	CVE-2023-49284	fish-3.6.0-3.alnx4
git	CVE-2024-52005 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386	git-2.47.3-1.alnx4
jq	CVE-2025-49014	jq-1.8.1-1.alnx4
vim	CVE-2024-43374 CVE-2024-43802	vim-9.0.2092-8.alnx4
sudo	CVE-2025-32462 CVE-2025-32463	sudo-1.9.15p5-3.alnx4
perl-Module-ScanDeps	CVE-2024-10224	perl-Module-ScanDeps-1.31-3.alnx4
exiv2	CVE-2025-26623	exiv2-0.28.7-1.alnx4
apache-commons-io	CVE-2024-47554	apache-commons-io-2.16.1-1.alnx4
taglib	CVE-2023-47466	taglib-1.13-2.alnx4
iniparser	CVE-2025-0633	iniparser-4.1-6.alnx4
ppp	CVE-2024-58250	ppp-2.5.2-1.alnx4
transfig	CVE-2025-31162 CVE-2025-31163 CVE-2025-31164 CVE-2025-46397 CVE-2025-46398 CVE-2025-46399	transfig-3.2.9-3.alnx4
net-tools	CVE-2025-46836	net-tools-2.10-4.alnx4
yelp	CVE-2025-3155	yelp-42.2-5.alnx4
perl-Mojolicious	CVE-2024-58134	perl-Mojolicious-9.40-1.alnx4

• Fixed errors that occurred when running the mvn command after installing Maven.

• Resolved warnings in the environment log about a missing pam_fprintd.so file.

• Corrected an inconsistency between the version of the lcov package reported by rpm -qi and its actual version.

• Ensured cmdline settings configured in alinux-base-setup take effect.

• Fixed an incorrect time zone path in the tzdata package.

• Fixed failures that occurred when installing the nvidia-driver package.

• On an ECS instance of the ebmhfr7.48xlarge instance type, the NetworkManager-wait-online service fails to start during boot. This instance type includes a USB network device that increases the startup time for the NetworkManager service. As a result, the NetworkManager-wait-online service times out and fails to start. If you do not use the USB network device, you can configure NetworkManager not to manage usb0. To do so, edit the /etc/NetworkManager/conf.d/99-unmanaged-device.conf file and add the following content:

  [device-usb0-unmanaged]
  match-device=interface-name:usb0
  managed=0

  After you edit the file, restart the NetworkManager service for the changes to take effect. NetworkManager will no longer manage the usb0 device. Restart the system and verify that the NetworkManager-wait-online service starts normally.

• After installing a desktop environment from an ISO, the Sharing Settings menu is missing.

  This issue occurs because of a change in version 47 of gnome-control-center. The Sharing Settings menu now requires gnome-remote-desktop to enable the remote desktop protocol. This feature is currently unsupported but is planned for a future release.

• After installing a desktop environment from an ISO, setting the time zone to Automatic in Date & Time Settings fails to disable manual region selection.

• After installing a desktop environment from an ISO, changing the user avatar in User Settings fails.

• On the x86 architecture, after installing a desktop environment from an ISO, changing the Display Orientation in Display Settings fails.

Package	CVE ID	Updated version
udisks2 libblockdev	CVE-2025-6019	udisks2-2.10.90-2.alnx4
python-tornado	CVE-2025-47287	python-tornado-6.4.2-2.alnx4
libsoup	CVE-2025-2784 CVE-2025-46420 CVE-2025-32914 CVE-2025-32913 CVE-2025-32912 CVE-2025-32911 CVE-2025-32910 CVE-2025-32909 CVE-2025-32907 CVE-2025-32906 CVE-2025-32053 CVE-2025-32050 CVE-2025-32049	libsoup-2.74.3-14.alnx4
xz	CVE-2025-31115	xz-5.4.7-3.alnx4
python-jinja2	CVE-2025-27516 CVE-2024-34064	python-jinja2-3.1.3-4.alnx4
wireshark	CVE-2025-1492	wireshark-4.4.2-3.alnx4
emacs	CVE-2025-1244 CVE-2024-53920	emacs-29.4-5.alnx4
curl	CVE-2025-0725 CVE-2025-0665 CVE-2025-0167 CVE-2024-11053 CVE-2024-9681 CVE-2024-8096 CVE-2024-7264 CVE-2024-2398 CVE-2024-2004 CVE-2023-46218 CVE-2023-46219	curl-8.4.0-11.alnx4
openssl	CVE-2024-13176 CVE-2024-9143 CVE-2024-6119 CVE-2024-4741 CVE-2024-4603 CVE-2024-2511 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678	openssl-3.0.12-13.alnx4
docker	CVE-2024-41110 CVE-2024-36623	docker-24.0.9-6.alnx4
libxml2	CVE-2025-49794 CVE-2025-49796 CVE-2025-32415 CVE-2025-32414 CVE-2025-27113 CVE-2025-24928 CVE-2025-7425 CVE-2025-6170 CVE-2025-6021 CVE-2024-56171 CVE-2024-40896 CVE-2024-34459 CVE-2024-25062	libxml2-2.11.5-11.alnx4
krb5	CVE-2024-37371 CVE-2024-37370 CVE-2024-26462 CVE-2024-26461 CVE-2024-26458	krb5-1.21.2-4.alnx4
libcdio	CVE-2024-36600	libcdio-2.1.0-2.alnx4
unbound	CVE-2024-43168 CVE-2024-33655 CVE-2024-8508 CVE-2023-50868 CVE-2023-50387	unbound-1.17.1-6.alnx4
kubernetes	CVE-2024-10220 CVE-2024-3177	kubernetes-1.27.8-4.alnx4
libtiff	CVE-2024-7006 CVE-2023-52356 CVE-2023-52355	libtiff-4.6.0-2.alnx4
libsass	CVE-2022-43358	libsass-3.6.4-2.alnx4
uboot-tools	CVE-2022-34835 CVE-2022-33967 CVE-2022-2347	uboot-tools-2022.04-5.alnx4
djvulibre	CVE-2021-46312 CVE-2021-46310 CVE-2021-32493 CVE-2021-32491 CVE-2021-32490	djvulibre-3.5.28-3.alnx4

Kernel

This release is based on the long-term support (LTS) Linux kernel 6.6: kernel-6.6.88-4.2.alnx4.x86_64.

• Scheduling

  • Adds support for the sched_ext feature.

  • Supports the jbd2 lock handoff feature.

  • Improved EEVDF stability.

• Memory

  • Supports the fast Out-of-Memory (OOM) feature.

  • Supports the page table page reclaim feature.

  • Supports the slab lockless shrink feature to improve the concurrent performance of slab shrinkers.

  • Supports the async fork feature to optimize the performance of the fork system call.

  • Supports the duptext feature, which is extended to support large folio.

  • The mmap() system call supports the THP align feature to increase the success rate of Transparent Huge Pages (THP) allocations.

• Network

  • Maintains compatibility with numerous features from earlier 5.10-based kernels, including eRDMA, SMCv2, completion queue (CQ) optimization, sysctl optimizations, various stability fixes, the Write-with-Imm feature, link/lgr count optimization, packet capture, and memory watermark limits.

  • Supports the virtio-net XDP zerocopy feature.

• BPF

  • Supports creating bpf timers with BPF_F_TIMER_CPU_PIN.

  • Supports __nullable configuration for struct_ops input parameters.

  • Allows bpf skel to directly access members of struct_ops maps.

  • Supports calling subroutines while holding a spinlock or rculock.

  • Supports bits iterators.

• Storage

  • Supports the experimental ext4 large folio feature. This feature significantly improves buffered I/O performance. It is marked as EXPERIMENTAL and is disabled by default. To use this feature, enable it with the -o buffered_iomap option.

  • Addresses an issue with d2c latency statistics. Due to an upstream evolution, QUEUE_FLAG_STATS is no longer set by default, which disables d2c latency statistics by default. Because calling ktime_get_ns() can degrade performance on high-speed devices, a new sysfs interface is available to control these statistics.

• Driver

  • The NVMe driver now supports Reservation and cloud disk activation.

  • Upgrades the hct driver module to support HCT version 2.1.

Userspace components

• Core component updates

  • GCC toolchain: 12.3.0

  • binutils: 2.41

  • systemd: 255

  • grub2: 2.12

  • glibc: 2.38

  • util-linux: 2.39

  • LLVM: 17.0.6 (default). An llvm18 compatibility package is also available (requires the devel repository to be enabled).

  • OpenSSH: 9.6p1

  • python3: 3.11.6

  • glib2: 2.78.3

  • OpenSSL: 3.0.12 (default)

• Common application component updates

  • qemu: 8.2.0 (default)

  • libvirt: 9.10.0 (default)

  • MySQL: 8.0.42 (default)

  • mariadb: 10.6.22 (default)

  • postgresql: 15.12 (default)

  • sqlite: 3.42.0

  • Rust version 1.84 is available.

  • Golang version 1.24

  • Nginx provides version 1.26.

  • Apache (httpd) provides version 2.4.62.

  • bind provides version 9.18.34.

  • php version 8.3.19 is available.

  • rpm provides version 4.18.

  • The dnf package manager offers version 4.16.

  • xfsprogs provides version 6.6.0.

  • Docker defaults to version 24.09, and Podman is no longer supported.

  • Kubernetes supports version 1.27.8.

  • Ruby provides version 3.3.7.

  • Samba version 4.19.5 is available.

  • Provides gcc-toolset-14 compilation tools (the devel repository must be enabled).

• Core configuration changes

  • Alibaba Cloud Linux 4 enables cgroup v2 by default. To switch to cgroup v1, see How to switch to cgroup v1 in Alibaba Cloud Linux 4.

  • The system disk for Alibaba Cloud Linux 4 uses the xfs file system by default. Because of newer features in xfs, systems with older kernel versions may not be able to read the disk's contents.

• Notes

  • The current kernel version does not support Group Identity co-location technology.