1.26

• criu: enable setting of RPC config file via annotation org.criu.config. crun also reads /etc/criu/crun.conf or /etc/criu/runc.conf for CRIU configuration.
• linux: run createContainer hooks before making root read-only.
• utils: handle NULL container passed to libcrun_open_proc_file().
• container: fix error release on failure paths.

1.25.1

• linux: harden opens under /proc. Use fsopen, when available, to get a trusted reference to the proc file system and use it for all subsequent accesses instead of relying on the /proc path directly.

1.25

• cgroup: enable all accounting properties to ensure stats are readable.
• intelrdt: honor default closID.
• src: fix some double allocations on errors.

1.24

• linux: add support for NUMA set_mempolicy.
• intelrdt: add support for EnableMonitoring.
• linux: optimize masked paths with shared empty directory.
• cgroup, systemd: validate the specified ebpf program is loaded by systemd.
• krun: avoid failing if sev/nitro are not available.
• linux: limit tmpfs memory usage for masked paths.
• linux: fix regression mounting within userns. Detect when running inside a user namespace and treat the mounts in the same way as they would be treated with a new user namespace.
• linux: never chown devices.

1.23.1

• exec: fix a bug where the terminal could lose some bytes when reading from the exec'ed process.
• utils: add bounds checking for Unix domain socket paths.

1.23

• krun: enable virtio-gpu. Enable and configure a virtio-gpu device if /dev/dri and /usr/libexec/virgl_render_server are present within the container.
• krun: add support for nitro enclaves.
• criu: Add support for tcp-close.
• linux: fix issue when RestrictAddressFamilies="AF_UNIX AF_NETLINK" is in place in the systemd unit. Regression introduced in crun 1.17.
• cgroup,systemd: use BPFProgram=device on systemd to install the device controller eBPF.
• cgroup,systemd: allow empty slice in cgroupsPath.
• crun: print the program version even with an invalid rundir.
• linux: fix regression with idmapped mounts. Support idmapped mounts also when there is no user namespace specified for the container. crun 1.22 introduced the regression.
• cgroup: change formula to convert from cpu shares to cpu weight. The OCI CPU shares (range [2-262144]) to cgroup v2 cpu.weight (range [1-10000]) conversion formula has been updated to use a quadratic function so that min, max and default values match.

1.22

• crun: add a new command crun mounts to dynamically add or remove mounts from a running container.
• linux: add support for moving existing network devices into the container namespace as defined in the OCI specification.
• linux: add src-nofollow and dest-nofollow mount options for more precise control over how symbolic links are handled.
• krun: implement support for external kernels, allowing users to bundle a kernel image with the container.
• krun: the vCPU limit has been increased to 16.
• krun: add support for specifying the libkrun flavor via the KRUN_VM_FILE.
• criu: fix checkpoint and restore for containers that have a bind mount where the destination is a symbolic link.
• criu: automatically create the directory specified by --work-path if it does not exist, improving compatibility with other runtimes.
• criu: re-enable support on the riscv64 architecture.
• cgroup: fix incorrect setting of cpu.max when the OCI quota is -1.
• hardening: replace all uses of the insecure sprintf function with safer alternatives like snprintf to prevent buffer overflows.
• fix a regression that caused issues when dealing with paths that do not exist and openat2 is not available.
• fix an issue where the file descriptor for the rootfs would become stale if the rootfs was replaced by a mount.
• fix parsing of rootless options.
• fix a potential crash in krun by checking if library handles exist before being unloaded.
• improve error messages for dlopen failures, making them more descriptive.
• cgroup: fix a regression on WSL when running with cgroup v1.
• libcrun: setup /dev/console as a symlink to pty instead of bind mount when possible.

1.21

• criu: when running under systemd, use a proxy process to initialize the cgroup so that all the container processes are restored in the correct cgroup.
• set HOME to "/" if the specified user is not present in the /etc/passwd file.
• do not fail if any of stdin/stdout/stderr is closed.
• cgroup: fix handling of absent subcgroup when configuring cpuset on cgroup v1.
• ignore SIGWINCH when a tty is not used.
• utils: improve error message if the specified command is not executable.
• fix PATH lookup. Support filenames starting with a dot.
• krun: create context after loading the library.
• krun: stop using krun_set_exec but use the command line directly from the OCI configuration file.

1.20

• krun: fix CVE-2025-24965. The .krun_config.json file could be created outside of the container rootfs.
• cgroup: reverted the removal of tun/tap from the default allow list, this was done in crun-1.5. The tun/tap device is now added by default again.
• CRIU: do not set network_lock unless explicitly specified.
• status: disallow container names containing slashes in their name.
• linux: Improved error message when failing to set the net.ipv4.ping_group_range sysctl.
• scheduler: Ignore ENOSYS errors when resetting the CPU affinity mask.
• linux: return a better error message when pidfd_open fails with EINVAL.
• cgroup: display the absolute path to cgroup.controllers when a controller is unavailable.
• exec: always call setsid. Now processes created through exec get the correct process group id.

1.19.1

• linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the "crun exec" process doesn't hang when the terminal is not consuming any data.
• linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts.