Issue: To address high-severity kernel vulnerabilities (including CVE-2025-21756 and CVE-2025-38052) in Rocky Linux 8 and 9,...

To address high-severity kernel vulnerabilities (including CVE-2025-21756 and CVE-2025-38052) in Rocky Linux 8 and 9, updates are available for the Compute Engine images maintained by CIQ. If your VM instances use images dated before September 2025 (version v20250912), you must take action to ensure you continue to receive security patches.

How to determine if your Compute Engine VMs are affected

You are affected if your VM instance uses a Rocky Linux image from an -optimized-gcp or -optimized-gcp-nvidia family with a version date older than v20250912 (for example, rocky-linux-9-optimized-gcp-v20250807). To check your VM's source image, see View VM instance image details. You can view details for these image families in Rocky Linux OS details.

Action required

• If your image version is v20250912 or later: Your VM is already configured to use the newer SIG/Cloud Next (SCN) repositories and is receiving security updates. No action is required. • If your image version is older than v20250912: Your VM is configured to use legacy SIG/Cloud repositories that no longer receive regular kernel updates and won't receive future security patches. While running sudo dnf update applies a one-time patch for the vulnerabilities listed, you must manually migrate the VM to the SCN repositories to receive ongoing updates by following the CIQ migration guide.