EVE-OS 14.5.3 LTS Release Notes

Updated January 13, 2026 16:28

Article Published Date: 1/13/2026

Enhancements

Critical CVE fixes in container runtime. Updated runc to v3.3.0 and containerd to v2.2.0, addressing three critical security vulnerabilities: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. These updates ensure enhanced security for edge container workloads running on EVE-OS.

Automatic TCP MSS clamping for application traffic. EVE-OS now automatically adjusts TCP Maximum Segment Size (MSS) to prevent packet fragmentation issues in edge container environments. This feature ensures reliable TCP connections even when applications cannot detect or adapt to path MTU changes, particularly important for containers running inside VMs. You can disable this feature via the global configuration property app.enable.tcp.mss.clamping if needed.
Improved DNS resolver reliability across multiple interfaces. DNS servers are now interleaved across interfaces in resolv.conf instead of being grouped by interface. This ensures that when you have multiple management ports, each interface gets representation within the system resolver's 3-nameserver limit, preventing DNS lookup failures on secondary interfaces.
Optimized VLAN configuration handling. EVE-OS now avoids unnecessary network adapter recreation when VLAN memberships change, reducing network disruption during configuration updates. The system also ensures proper ordering by requiring parent adapters to be fully configured before creating VLAN subinterfaces.
Cleaner device port configuration messages. Added JSON omitempty tags to device port configuration structures, producing smaller and cleaner configuration messages sent between EVE-OS components.

Kernel updated to v6.1.112 for amd64-generic. This kernel update includes several important improvements: enhanced support for Siemens IPC devices, built-in boot-path drivers for USB/NVMe/MMC/optical drives and RAID controllers (eliminating the need for initrd), enabled cgroup v2 support via CONFIG_CGROUP_BPF, and module compression support.
Improved device detection during boot. EVE-OS now initiates a udev "cold start" to ensure proper device detection after the root filesystem is mounted. This is particularly important since the kernel initially looks for drivers in /lib/modules during early boot, but EVE-OS doesn't use a traditional initrd with all modules included.
Enhanced installer device detection. Added udev service to the EVE installer, ensuring that all devices are properly detected during the installation process.

Fixed UEFI boot order issues. Replaced pre-cooked UEFI settings with corrected boot order (0000-0005) to prevent edge applications with multiple disks from booting into the EFI Shell. This update includes settings for both default and 640x480 video resolution configurations.
Enhanced Siemens IPC device support. The kernel update improves support for Siemens Industrial PC devices, making EVE-OS more compatible with industrial edge computing hardware.

Comprehensive spec.sh JSON output improvements. Fixed multiple JSON formatting issues in the hardware specification tool, including proper handling of USB devices, COM ports, NVME ports, IOMMU groups, PCI device descriptions, and network interfaces. These fixes ensure accurate hardware inventory reporting for diagnostics and troubleshooting.
Expanded diagnostic log collection. USB diagnostic logs now capture kernel panic logs, providing better insights for troubleshooting critical system failures.
Enhanced collect-info HTTP compatibility. The collect-info tool now falls back to HTTP PUT method when POST uploads fail, ensuring compatibility with WebDAV servers and other HTTP servers that don't support POST for file uploads.
Increased rootfs size limit to 290MB. Adjusted maximum root filesystem size from 285MB to 290MB to accommodate growing system requirements while remaining within the 300MB partition size used in many live deployments.
Updated the Local UI to v0.6.2. The local terminal user interface (TUI) has been updated from version 0.6.0 to 0.6.2.

Accurate MMIO memory overhead calculation. Fixed the hypervisor's MMIO overhead calculation to work correctly before adapter reservation, enabling accurate memory overhead estimation when deciding if edge container activation is possible. This prevents "IoBundle not ours" errors and improves resource allocation decisions.

Proper container root filesystem configuration. Updated pillar container configuration to create an explicit overlayfs with xen-root as the lower layer, ensuring compatibility with newer versions of runc that properly enforce container filesystem requirements.

Fixed context handling in network operations. Replaced context.Background with cancelable contexts in zedkube, diagnostics, and proxy components, improving resource management and enabling proper cancellation of network operations.
Fixed resource leaks in HTTP request loops. Updated zedkube to close HTTP response bodies immediately after reading them in loops instead of deferring closure, preventing potential resource leaks in long-running operations.
Fixed missing HTTP response body closures. Corrected missing resp.Body.Close() calls in reportInstStats() and stopPprof() functions, preventing resource leaks.
Fixed flaky goroutine monitor test. Resolved race condition in TestGoroutinesMonitorUpdateParamsKeepStatsDecrease by removing exact count assertions and focusing on verifying correct resizing behavior.
Fixed tools/collect-sources.sh extraction error. Excluded var/lock directory from tarball extraction to resolve "Cannot unlink: Is a directory" errors when processing the updated runc image.
Updated golangci-lint configuration. Modernized linter configuration to match newer golangci-lint versions, removing deprecated linters and fixing analyzer errors.
Updated eve-libs vendor dependency. Bumped eve-libs to include context validation improvements in the dialer component.

Was this article helpful?

0 out of 0 found this helpful