Alibaba Cloud regularly releases updated versions of Alibaba Cloud Linux 4 images to provide the latest operating system features, functions, and security patches. This topic describes the updates for the latest available versions of Alibaba Cloud Linux 4 images.
Background information
Unless specified otherwise, the updates apply to all regions where Elastic Compute Service (ECS) is available.
2025
Alibaba Cloud Linux 4.0.1
Version number | Image ID | Release date | Release details |
Alibaba Cloud Linux 4.0.1 | aliyun_4_x64_20G_alibase_20251011.vhd | 2025-10-11 |
For more information, see Updates. |
aliyun_4_arm64_20G_alibase_20251011.vhd | 2025-10-11 |
For more information, see Updates. | |
aliyun_4_x64_20G_container_optimized_alibase_20251106.vhd | 2025-11-24 |
For more information, see Updates. | |
aliyun_4_arm64_20G_container_optimized_alibase_20251106.vhd | 2025-11-24 |
For more information, see Updates. |
Updates
Important updates
Kernel:
The kernel is updated to version kernel-6.6.102-5.alnx4.
Memory:
Enabled code enormous page optimization in the default cmdline.
Optimized the performance of the mremap() system call.
Optimized the performance of the folio move system call.
Optimized the performance of contiguous PTE operations.
Optimized the creation of tmpfs enormous page mappings.
Optimized the mincore() system call.
Fixed the check for shmem large order support.
Created the entire large mapping during a tmpfs fault.
Fixed performance issues caused by the semantic change of huge=always.
Optimized the batch size for 64 KB kernel memory statistics.
Backported madvise_free to support multi-size THP (mTHP).
Ported the low-power container feature.
Architecture
x86
Added support for EDAC, ISST, PMU-Core, PMU-Uncore, and PMU-CWF-events for the Intel CFW architecture.
Added support for AMD Fire Range CPUs.
RISCV
Added support for rva23 Mandatory instructions.
Added support for multi-level page tables: SV32 (32-bit), SV39, SV48, and SV57 (64-bit).
Added support for HugeTLB and enormous pages (NAPOT extension).
Added support for CPU hot-plug management through the SBI Hart State Management (HSM) extension.
Added support for atomic operation extensions (Zabha and Zacas).
Added support for the Performance Monitoring Unit (PMU).
CVE fixes
CVE-2024-56775: The AMD display driver failed to correctly maintain the reference count of planes when backing up and restoring plane states. This could lead to issues such as memory leaks or illegal memory access, which affects the stability and performance of the display system.
CVE-2025-21927: The nvme driver did not validate the NVMe TCP PDU header length.
CVE-2025-38264: The nvme-tcp driver did not validate the request list, which could lead to a request processing loop.
CVE-2025-39702: The ipv6/sr module did not use constant time for MAC comparison.
CVE-2025-39711: A missing call to mei_cldev_disable could lead to a use-after-free vulnerability.
CVE-2025-39746: Improper handling of hardware unreliability could lead to a system crash.
CVE-2025-39790: Failure to correctly detect events that point to an unexpected TRE could lead to a buffer double-free.
CVE-2025-39833: Deleting an uninitialized timer could cause debug warnings and system instability.
CVE-2025-39866: A use-after-free issue existed in the __mark_inode_dirty function.
Package updates
The BaseOS baseline for Alinux 4.0.1 is an updated version of Anolis OS 23.3.
Changed the default file system from ext4 to xfs in the online ECS environment. This change provides significant performance improvements for kernel 6.6.
Replaced the Docker provider. Docker functionality is now provided by Moby, and the Docker component will no longer be updated. The Docker component is retained in the repository metadata but is configured to prevent simultaneous installation with Moby. You can choose which one to install.
Disabled the rpcbind service by default to reduce unnecessary open ports and enhance the security of online public images.
Added the ossfs-1.91.7 component. This component provides a command line interface for Alibaba Cloud OSS scenarios. It lets you more easily manage objects in OSS and share data using the local file system.
Added vtoa-2.1.1 to support obtaining the real client address for cloud servers in FullNAT scenarios.
Added idlemd-2.5.2, a memory resource monitoring and scheduling tool for managing idle resources.
Added fuse317-3.17, which provides the latest community
fuse over io_uringcapability. It also introduces the usrbio engine to support deepseek-like 3fs interfaces.Added tongsuo3-8.5.0 to provide quantum cryptography and Chinese national cryptographic capabilities.
Security updates
Package name | CVE ID | Updated version |
tigervnc | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 | tigervnc-1.13.1-5.alnx4 |
systemd | CVE-2025-4598 | systemd-255-9.alnx4 |
redis | CVE-2025-27151 | redis-7.2.10-1.alnx4 |
qemu | CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3567 CVE-2024-7409 | qemu-8.2.0-34.alnx4 |
python-paramiko | CVE-2023-48795 | python-paramiko-3.4.0-1.alnx4 |
postgresql | CVE-2025-8713 CVE-2025-8714 CVE-2025-8715 | postgresql-15.14-1.alnx4 |
openssl1.1 | CVE-2022-4450 CVE-2023-0215 | openssl1.1-1.1.1q-7.alnx4 |
openssh | CVE-2024-39894 CVE-2025-26466 | openssh-9.6p1-3.alnx4 |
openjpeg2 | CVE-2025-54874 | openjpeg2-2.5.3-2.alnx4 |
nginx | CVE-2025-53859 | nginx-1.26.2-3.alnx4 |
libxml2 | CVE-2025-49795 | libxml2-2.11.5-15.alnx4 |
libssh2 | CVE-2023-48795 | libssh2-1.11.0-3.alnx4 |
libssh | CVE-2025-5351 | libssh-0.10.5-10.alnx4 |
krb5 | CVE-2025-24528 | krb5-1.21.2-5.alnx4 |
jupyterlab | CVE-2024-43805 | jupyterlab-4.3.2-1.alnx4 |
httpd | CVE-2024-43204 CVE-2024-47252 CVE-2025-49630 CVE-2025-53020 | httpd-2.4.64-1.alnx4 |
firefox | CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9185 | firefox-140.3.0-1.alnx4 |
expat | CVE-2024-8176 | expat-2.5.0-6.alnx4 |
aide | CVE-2025-54389 | aide-0.19.2-1.alnx4 |
NetworkManager | CVE-2024-3661 CVE-2024-6501 | NetworkManager-1.44.2-4.alnx4 |
yasm | CVE-2023-31975 | yasm-1.3.0-11.alnx4 |
xorg-x11-server-Xwayland | CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 | xorg-x11-server-Xwayland-23.2.5-4.alnx4 |
xorg-x11-server | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 | xorg-x11-server-1.20.14-15.alnx4 |
unbound | CVE-2024-43167 | unbound-1.17.1-7.alnx4 |
tomcat | CVE-2025-52434 CVE-2025-52520 CVE-2025-53506 | tomcat-9.0.107-1.alnx4 |
tigervnc | CVE-2024-21885 CVE-2025-49176 | tigervnc-1.13.1-5.alnx4 |
sqlite | CVE-2025-6965 | sqlite-3.42.0-5.alnx4 |
ruby | CVE-2025-25186 CVE-2025-27219 CVE-2025-27221 | ruby-3.3.9-5.alnx4 |
python3.11 | CVE-2023-27043 CVE-2024-0397 CVE-2024-0450 CVE-2024-3219 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2025-4516 CVE-2025-4517 CVE-2025-6069 CVE-2025-8194 | python3.11-3.11.6-9.alnx4 |
python-virtualenv | CVE-2024-53899 | python-virtualenv-20.28.0-1.alnx4 |
python-setuptools | CVE-2024-6345 CVE-2025-47273 | python-setuptools-68.0.0-3.alnx4 |
python-black | CVE-2024-21503 | python-black-24.3.0-1.alnx4 |
protobuf | CVE-2025-4565 | protobuf-3.19.6-7.alnx4 |
postgresql | CVE-2025-4207 | postgresql-15.14-1.alnx4 |
polkit | CVE-2025-7519 | polkit-123-2.alnx4 |
php | CVE-2025-1735 CVE-2025-6491 | php-8.3.19-2.alnx4 |
perl | CVE-2025-40909 | perl-5.36.3-18.alnx4 |
openssh | CVE-2024-6387 | openssh-9.6p1-3.alnx4 |
nodejs | CVE-2025-23084 | nodejs-22.16.0-1.alnx4 |
ncurses | CVE-2025-6141 | ncurses-6.4-5.20240127.alnx4 |
mercurial | CVE-2025-2361 | mercurial-6.9.4-1.alnx4 |
libxml2 | CVE-2025-49794 CVE-2025-49796 CVE-2025-6170 CVE-2025-7425 | libxml2-2.11.5-15.alnx4 |
libtiff | CVE-2025-8534 | libtiff-4.7.1-1.alnx4 |
libssh | CVE-2025-5372 CVE-2025-5987 | libssh-0.10.5-10.alnx4 |
libsoup | CVE-2025-32052 CVE-2025-4476 CVE-2025-46421 CVE-2025-4948 | libsoup-2.74.3-18.alnx4 |
libpq | CVE-2025-4207 | libpq-15.13-1.alnx4 |
libarchive | CVE-2025-5916 CVE-2025-5917 CVE-2025-5918 | libarchive-3.7.1-8.alnx4 |
keepalived | CVE-2024-41184 | keepalived-2.3.2-1.alnx4 |
iputils | CVE-2025-47268 CVE-2025-48964 | iputils-20221126-3.alnx4 |
iperf3 | CVE-2025-54349 CVE-2025-54350 | iperf3-3.19.1-1.alnx4 |
httpd | CVE-2024-42516 CVE-2025-49812 | httpd-2.4.64-1.alnx4 |
gstreamer1-plugins-bad-free | CVE-2025-3887 CVE-2025-6663 | gstreamer1-plugins-bad-free-1.26.4-1.alnx4 |
gstreamer1 | CVE-2025-6663 | gstreamer1-1.26.4-1.alnx4 |
gnome-remote-desktop | CVE-2025-5024 | gnome-remote-desktop-47.3-2.alnx4 |
gnome-control-center | CVE-2023-5616 | gnome-control-center-47.3-1.alnx4 |
glibc | CVE-2025-8058 | glibc-2.38-13.alnx4 |
glib2 | CVE-2024-34397 CVE-2025-4056 CVE-2025-6052 | glib2-2.78.3-8.alnx4 |
firefox | CVE-2025-0247 CVE-2025-1943 CVE-2025-4918 CVE-2025-5283 CVE-2025-6965 CVE-2025-8027 CVE-2025-8028 CVE-2025-8034 CVE-2025-8035 | firefox-140.3.0-1.alnx4 |
expat | CVE-2024-28757 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-50602 | expat-2.5.0-6.alnx4 |
edk2 | CVE-2024-38797 | edk2-202402-19.alnx4 |
dpkg | CVE-2025-6297 | dpkg-1.22.21-1.alnx4 |
djvulibre | CVE-2025-53367 | djvulibre-3.5.28-4.alnx4 |
dav1d | CVE-2024-1580 | dav1d-1.4.0-1.alnx4 |
coreutils | CVE-2024-0684 CVE-2025-5278 | coreutils-9.4-6.alnx4 |
containerd | CVE-2024-40635 | containerd-1.6.38-1.alnx4 |
ceph | CVE-2025-52555 | ceph-18.2.1-5.alnx4 |
binutils | CVE-2024-53589 CVE-2025-3198 CVE-2025-5244 CVE-2025-5245 CVE-2025-7545 CVE-2025-7546 | binutils-2.41-12.alnx4 |
djvulibre | CVE-2025-53367 | djvulibre-3.5.28-4.alnx4 |
augeas | CVE-2025-2588 | augeas-1.14.2-2.alnx4 |
python-requests | CVE-2024-47081 | python-requests-2.32.3-2.alnx4 |
yasm | CVE-2024-22653 | yasm-1.3.0-11.alnx4 |
fish | CVE-2023-49284 | fish-3.6.0-3.alnx4 |
perl | CVE-2024-56406 | perl-5.36.3-18.alnx4 |
gstreamer1-plugins-bad-free | CVE-2025-3887 | gstreamer1-plugins-bad-free-1.26.4-1.alnx4 |
git | CVE-2024-52005 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386 | git-2.47.3-1.alnx4 |
jq | CVE-2025-49014 | jq-1.8.1-1.alnx4 |
vim | CVE-2024-43374 CVE-2024-43802 | vim-9.0.2092-8.alnx4 |
sudo | CVE-2025-32462 CVE-2025-32463 | sudo-1.9.15p5-3.alnx4 |
libssh | CVE-2025-5318 | libssh-0.10.5-10.alnx4 |
perl-Module-ScanDeps | CVE-2024-10224 | perl-Module-ScanDeps-1.31-3.alnx4 |
tomcat | CVE-2025-46701 CVE-2025-48988 CVE-2025-49125 | tomcat-9.0.107-1.alnx4 |
exiv2 | CVE-2025-26623 | exiv2-0.28.7-1.alnx4 |
apache-commons-io | CVE-2024-47554 | apache-commons-io-2.16.1-1.alnx4 |
redis | CVE-2025-32023 CVE-2025-48367 | redis-7.2.10-1.alnx4 |
taglib | CVE-2023-47466 | taglib-1.13-2.alnx4 |
nginx | CVE-2025-23419 | nginx-1.26.2-3.alnx4 |
openjpeg2 | CVE-2023-39327 CVE-2023-39328 | openjpeg2-2.5.3-2.alnx4 |
iniparser | CVE-2025-0633 | iniparser-4.1-6.alnx4 |
ppp | CVE-2024-58250 | ppp-2.5.2-1.alnx4 |
libarchive | CVE-2025-5914 CVE-2025-5915 | libarchive-3.7.1-8.alnx4 |
transfig | CVE-2025-31162 CVE-2025-31163 CVE-2025-31164 CVE-2025-46397 CVE-2025-46398 CVE-2025-46399 | transfig-3.2.9-3.alnx4 |
libxml2 | CVE-2025-24928 CVE-2025-6021 | libxml2-2.11.5-15.alnx4 |
edk2 | CVE-2024-1298 CVE-2024-38796 | edk2-202402-19.alnx4 |
net-tools | CVE-2025-46836 | net-tools-2.10-4.alnx4 |
yelp | CVE-2025-3155 | yelp-42.2-5.alnx4 |
perl-Mojolicious | CVE-2024-58134 | perl-Mojolicious-9.40-1.alnx4 |
php | CVE-2024-11235 | php-8.3.19-2.alnx4 |
Bug fixes
Fixed an issue where
mvnreported an error after Maven was installed.Fixed an issue where the environment log indicated that
pam_fprintd.sowas missing.Fixed an issue where the version displayed by
rpm -qifor the lcov package did not match the actual version.Fixed an issue where cmdline settings in
alinux-base-setupdid not take effect.Fixed an incorrect time zone path in tzdata.
Fixed an issue that prevented the NVIDIA driver from being installed.
Known issues
On ECS instances of the ebmhfr7.48xlarge instance type, the NetworkManager-wait-online service fails to start during system startup. This instance type includes a USB network device, which increases the startup time of the NetworkManager service. This causes the NetworkManager-wait-online service to time out and fail. If you do not use the USB network device, you can configure NetworkManager to not manage usb0. To do this, edit the
/etc/NetworkManager/conf.d/99-unmanaged-device.conffile and add the following content:[device-usb0-unmanaged] match-device=interface-name:usb0 managed=0After you edit the file, restart the NetworkManager service to apply the changes. NetworkManager will no longer manage the usb0 device. After you restart the system, the NetworkManager-wait-online service starts normally.
After you install a desktop environment from an ISO image, the sharing settings menu is missing.
This issue occurs because version 47 of gnome-control-center changed the settings interface. The interface now requires that you enable the Remote Desktop Protocol using gnome-remote-desktop before you can configure sharing settings. The current version does not support this feature. Support will be added in a future version.
After you install a desktop environment from an ISO image, when the time zone is set to automatic in the Date & Time settings, the manual region setting is not disabled.
After you install a desktop environment from an ISO image, changing the profile picture in the user settings interface has no effect.
On the x86 architecture, after you install a desktop environment from an ISO image, changing the display orientation in the display settings fails.
Alibaba Cloud Linux 4.0
Version number | Image ID | Release date | Release details |
Alibaba Cloud Linux 4.0 | aliyun_4_x64_20G_alibase_20250728.vhd | 2025-07-28 |
|
Updates
Security updates
Package name | CVE ID | Updated version |
udisks2 libblockdev | CVE-2025-6019 | udisks2-2.10.90-2.alnx4 |
python-tornado | CVE-2025-47287 | python-tornado-6.4.2-2.alnx4 |
libsoup | CVE-2025-2784 CVE-2025-46420 CVE-2025-32914 CVE-2025-32913 CVE-2025-32912 CVE-2025-32911 CVE-2025-32910 CVE-2025-32909 CVE-2025-32907 CVE-2025-32906 CVE-2025-32053 CVE-2025-32050 CVE-2025-32049 | libsoup-2.74.3-14.alnx4 |
xz | CVE-2025-31115 | xz-5.4.7-3.alnx4 |
python-jinja2 | CVE-2025-27516 CVE-2024-34064 | python-jinja2-3.1.3-4.alnx4 |
wireshark | CVE-2025-1492 | wireshark-4.4.2-3.alnx4 |
emacs | CVE-2025-1244 CVE-2024-53920 | emacs-29.4-5.alnx4 |
curl | CVE-2025-0725 CVE-2025-0665 CVE-2025-0167 CVE-2024-11053 CVE-2024-9681 CVE-2024-8096 CVE-2024-7264 CVE-2024-2398 CVE-2024-2004 CVE-2023-46218 CVE-2023-46219 | curl-8.4.0-11.alnx4 |
openssl | CVE-2024-13176 CVE-2024-9143 CVE-2024-6119 CVE-2024-4741 CVE-2024-4603 CVE-2024-2511 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 | openssl-3.0.12-13.alnx4 |
docker | CVE-2024-41110 CVE-2024-36623 | docker-24.0.9-6.alnx4 |
libxml2 | CVE-2025-49794 CVE-2025-49796 CVE-2025-32415 CVE-2025-32414 CVE-2025-27113 CVE-2025-24928 CVE-2025-7425 CVE-2025-6170 CVE-2025-6021 CVE-2024-56171 CVE-2024-40896 CVE-2024-34459 CVE-2024-25062 | libxml2-2.11.5-11.alnx4 |
krb5 | CVE-2024-37371 CVE-2024-37370 CVE-2024-26462 CVE-2024-26461 CVE-2024-26458 | krb5-1.21.2-4.alnx4 |
libcdio | CVE-2024-36600 | libcdio-2.1.0-2.alnx4 |
unbound | CVE-2024-43168 CVE-2024-33655 CVE-2024-8508 CVE-2023-50868 CVE-2023-50387 | unbound-1.17.1-6.alnx4 |
kubernetes | CVE-2024-10220 CVE-2024-3177 | kubernetes-1.27.8-4.alnx4 |
libtiff | CVE-2024-7006 CVE-2023-52356 CVE-2023-52355 | libtiff-4.6.0-2.alnx4 |
libsass | CVE-2022-43358 | libsass-3.6.4-2.alnx4 |
uboot-tools | CVE-2022-34835 CVE-2022-33967 CVE-2022-2347 | uboot-tools-2022.04-5.alnx4 |
djvulibre | CVE-2021-46312 CVE-2021-46310 CVE-2021-32493 CVE-2021-32491 CVE-2021-32490 | djvulibre-3.5.28-3.alnx4 |
Important updates
Kernel:
Based on the Linux upstream Long Term Support (LTS) kernel version 6.6: kernel-6.6.88-4.2.alnx4.x86_64.
Scheduling
Supports the sched_ext feature.
Supports the jbd2 lock proxy execution feature.
Enhanced EEVDF stability.
Memory
Supports the fast out-of-memory (OOM) feature.
Supports the page table page revocation feature.
Supports the slab lockless shrink feature to improve the concurrent performance of the slab shrinker.
Supports the async fork feature to optimize the performance of the fork system call.
Supports the duptext feature. The duptext extension also supports large folio.
mmap() supports the THP align feature to increase the success rate of Transparent Enormous Pages (THP) allocation.
Network
Compatible with many features from previous versions of the 5.10 kernel. These features include elastic Remote Direct Memory Access (eRDMA) support, SMCv2 support, CQ optimization, sysctl optimization, various stability fixes, the Write-with-Imm feature, link/lgr count optimization, packet capture, and memory watermark limits.
Supports the virtio-net XDP zerocopy feature.
BPF
Supports the creation of BPF_F_TIMER_CPU_PIN using bpf timer.
Supports the __nullable configuration for struct_ops input parameters.
Supports direct access to members of struct_ops maps by bpf skel.
Supports calling subprograms while holding a spinlock or rculock.
Supports bits iterators.
Storage
Supports the experimental ext4 large folio feature. This feature significantly improves the performance of buffered I/O. It is marked as EXPERIMENTAL and is disabled by default. To try this feature, enable it using the -o buffered_iomap option.
Fixed an issue with d2c latency statistics. Due to upstream changes, QUEUE_FLAG_STATS is no longer set by default, which disables d2c latency statistics. Calling ktime_get_ns() in high-speed device scenarios can affect performance. A new sysfs interface is added to control the enabling of these statistics.
Drivers
The NVMe drive supports the reservation and disk activation features.
Upgraded the hct driver module to support HCT version 2.1.
Userspace components:
Core component changes
gcc toolchain: version 12.3.0
binutils: version 2.41
systemd: version 255
grub2: version 2.12
glibc: version 2.38
util-linux: version 2.39
llvm: default version is 17.0.6. A compatibility package for llvm18 is also available (requires enabling the devel repository).
openssh: version 9.6p1
python3: version 3.11.6
glib2: version 2.78.3
openssl: default version is 3.0.12
Common application component changes
qemu: default version is 8.2.0
libvirt: default version is 9.10.0
MySQL: default version is 8.0.42
mariadb: default version is 10.6.22
postgresql: default version is 15.12
sqlite: version 3.42.0
rust: version 1.84
Golang: version 1.24
nginx: version 1.26
apache(httpd): version 2.4.62
bind: version 9.18.34
php: version 8.3.19
rpm: version 4.18
dnf: version 4.16
xfsprogs: version 6.6.0
docker: default version is 24.09. Support for podman is discontinued.
kubernetes: version 1.27.8
ruby: version 3.3.7
samba: version 4.19.5
gcc-toolset-14 series compilation tools are available (requires enabling the devel repository).
Core configuration changes
Alibaba Cloud Linux 4 enables Control Group (cgroup) v2 by default. To switch to cgroup v1, see How to switch to cgroup v1 in Alibaba Cloud Linux 4.
The system disk of Alibaba Cloud Linux 4 uses the xfs file system by default. Because xfs uses some advanced features, systems with earlier kernel versions may not be able to read the content on the disk.
Notes
The current kernel version does not support the Group Identity co-location technology.