Release 2026_018 (2026-05-18)

Impact

25.05

Machines will reboot to activate a changed kernel.

25.11

Machines will reboot to activate a changed kernel.

NixOS 25.05 platform

• linux kernel: mitigate “dirty frag” vulnerabilities (CVE-2026-43500, CVE-2026-4328)

• Pull upstream NixOS changes, security fixes, and package updates:

  • linuxKernelStable: 6.12.85 -> 6.12.87

  • linuxKernelVerify: 6.12.85 -> 6.12.87

NixOS 25.11 platform

• linux kernel: mitigate “dirty frag” vulnerabilities (CVE-2026-43500, CVE-2026-4328)

• fc-collect-garbage: warn about unknown/human users with gcroots. (PL-134227)

• router: remove various deprecated and obsolete role options. (PL-135248)

• nix: use redundant object storage gateways as binary cache while removing superfluous old binary cache (PL-135325)

  This change leads to a better performance for Nix invocations that are not in any binary cache.

• Pull upstream NixOS changes, security fixes, and package updates:

  • apacheHttpd: 2.4.66 -> 2.4.67

  • chromedriver: 147.0.7727.137 -> 148.0.7778.96

  • chromium: 147.0.7727.137 -> 148.0.7778.96

  • firefox: 150.0.1 -> 150.0.2

  • gitaly: 18.11.1 -> 18.11.2

  • gitlab: 18.11.1 -> 18.11.2

  • gitlab-ee: 18.11.1 -> 18.11.2

  • gitlab-pages: 18.11.1 -> 18.11.2

  • gitlab-runner: 18.11.1 -> 18.11.2

  • gitlab-workhorse: 18.11.1 -> 18.11.2

  • linuxKernelStable: 6.12.85 -> 6.12.87

  • linuxKernelVerify: 6.12.85 -> 6.12.87

  • matrix-synapse: 1.152.0 -> 1.152.1

  • php82: 8.2.30 -> 8.2.31

  • php83: 8.3.30 -> 8.3.31

  • php84: 8.4.20 -> 8.4.21

  • php85: 8.5.5 -> 8.5.6

  • redis: 8.2.3 -> 8.6.3

Detailed Changes

• NixOS 25.05: platform code, nixpkgs/upstream changes, metadata, channel url

• NixOS 25.11: platform code, nixpkgs/upstream changes, metadata, channel url