Memorystore for Redis supports the General Availability of the following health issues:
AlloyDB integration with Knowledge Catalog is now generally available (GA).
This integration provides a unified metadata view to simplify data governance and analysis. It includes near real-time synchronization and expanded metadata details, like primary and foreign keys.
For more information, see Integrate AlloyDB with Knowledge Catalog.
Table Explorer behavior is moving to the Reference panel. This transition will occur in July 2026 or later. For more information, see Table Explorer.
gcloud container attached clusters get-credentials.
Use gcloud container fleet memberships get-credentials to get credentials
for a running Attached cluster.gcloud CLI to 3.14.5.gcloud ai tuning-jobs command group to manage Vertex AI supervised fine-tuning jobs.gcloud artifacts image-streaming-cache command group to manage
image streaming caches per region. This group includes create,
describe, delete, and list commands.--unity-service-principal-application-id flag for gcloud biglake iceberg catalogs create and update to BETA, making it publicly visible.gcloud biglake iceberg catalogs to GA.gcloud datalineage command group to manage Cloud Data Lineage resources.gcloud datalineage config describe and gcloud datalineage config update commands to manage Data Lineage configurations.gcloud datastream connection-profiles create and update commands.gcloud datastream streams create and update commands.--readiness_probe in gcloud run deploy and gcloud run services update to GA.gcloud services api-keys create and update
commands' --api-target flag to accept a colon-separated list of methods
inline (e.g. --api-target="service=foo,methods=m1:m2").gcloud storage batch-operations bucket-operations commands to GA.gcloud beta cluster-director clusters create.--action-on-vm-failed-health-check flag to GA for gcloud compute instance-groups managed create and gcloud compute instance-groups managed update.cross-site-networks wire-groups).any-reservation-then-fail choice to --reservation-affinity flag in
beta for gcloud compute instances create,
gcloud compute instances bulk create,
gcloud compute instance-templates create,
gcloud compute instances create-with-container, and
gcloud compute instance-templates create-with-container commands.--include-disks and --exclude-disks flags for gcloud compute machine-images create to the BETA release track.--dataplane-optimization-mode flag to gcloud container clusters create to select scalability mode for Dataplane V2.--region flag in gcloud network-connectivity transports create to include supported regions list.gcloud network-security operations command group (describe, wait, list, cancel).gcloud network-security firewall-endpoints commands
(create, delete, describe, list, update) to GA.gcloud network-security security-profiles wildfire-analysis
commands to BETA.gcloud network-security firewall-endpoints wildfire-verdict-change-requests
commands to beta.gcloud network-security firewall-endpoints create command to
BETA.gcloud network-security firewall-endpoints update command to
BETA.gcloud recaptcha keys create ignored --testing-score when creating Android or iOS keys.Subscribe to these release notes at https://groups.google.com/forum/#!forum/google-cloud-sdk-announce.
QueryData adds support for parameterized secure views (PSVs) to help secure applications that use natural language queries. For more information, see Secure and control access to application data.
This feature is in Preview.
Support for the accelerator-optimized g4-standard-48 machine type for securely running AI and ML workloads is available in Preview, with the following specifications:
Dataflow now supports NVIDIA RTX Pro 6000 GPUs. You can use this
GPU model to run your Apache Beam pipelines on Dataflow. RTX
Pro 6000 GPUs are recommended for large, medium, and small model inference
workloads. To configure your workers with this GPU model, set the accelerator
type to nvidia-rtx-pro-6000. For more information, see Dataflow
support for GPUs.
Gemini Enterprise: ServiceNow data store actions and federation
The ServiceNow data store supports federation and assistant actions in Gemini Enterprise.
You can connect a ServiceNow site to search and read incidents, change requests, tasks, and knowledge base articles using natural language. You can also perform actions, such as creating and updating incidents, directly from the Gemini Enterprise app.
This feature is generally available (GA). For more information, see Connect ServiceNow.
Google Distributed Cloud (software only) for bare metal 1.35.200-gke.66 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.35.200-gke.66 runs on Kubernetes v1.35.3-gke.400.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.35.200-gke.66:
etcd-events pod read the stale data directory when it started
and attempted to reuse the old member ID to rejoin the cluster instead of the
new one. Trying to use the old member ID to rejoin the cluster resulted in an
infinite retry loop and caused the cluster to reject the connection. The fix
ensures the /var/lib/etcd-events directory is
cleared upon failure, and adds retry logic to kubeadm-reset to improve resiliency against transient API errors.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
[Spotlight Feature] Ask Gemini Cloud Assist in Feed Management
Google SecOps now provides Gemini Cloud Assist (GCA) directly within the Feed Management interface to help you with feed creation, setup, and general troubleshooting questions.
A new Ask Gemini Cloud Assist button is now available in the Feed Management interface. You can click this button to open the Gemini Cloud Assist panel and ask questions to get guidance on: * Configuring and managing data feeds. * Understanding ingestion pre-requisites and setup steps for different log sources. * Resolving common setup issues.
Note: Gemini Cloud Assist provides recommendations and answers to your questions, but does not perform configuration changes on your behalf. You must apply any recommended changes manually to your feeds.
For more information, see Feed management overview.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
New Documentation changelogs
Google SecOps is now releasing a monthly changelog to capture major documentation updates.
For more information, refer to Documentation changelog.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine): Rollout of the new sub-minor versions without pre-configured channels will begin on June 22, 2026, delayed from the previously planned date of June 15, 2026 ETA.
]]>Preview: Before you create Spot VMs, you can view the real-time availability, estimated uptime, historical preemption rate, and pricing for a specific machine type and location. This information helps you maximize the chances of successfully creating Spot VMs and choose the configuration that best fits your workload needs and budget. For more information, see Use Spot.
The Database Insights remote Model Context Protocol (MCP) server now supports the following advanced query insights tools for AlloyDB for PostgreSQL:
get_advanced_aggregated_query_statsget_advanced_aggregated_wait_event_statsget_advanced_time_series_query_statsget_advanced_time_series_wait_event_statsget_index_recommendationsFor more information, see Database Insights remote MCP server.
Use Gemini Cloud Assist to analyze your SQL queries and receive recommendations to optimize query performance in BigQuery. This feature is available to customers who use BigQuery editions. This feature is in Preview.
Support for configuring daily token quotas for BigQuery generative AI functions has been temporarily disabled. We are working to restore this feature as soon as possible.
You can resize the width of table columns in BigQuery Studio for BigQuery listings such as datasets, repositories, job history, and connections. To resize a column, hover over the column divider and drag it to your preferred width.
You can use Gemini Code Assist directly within the BigQuery Jobs explorer, Job details, Job history, and Capacity management pages to help you troubleshoot and analyze performance issues. For more information, see Troubleshoot job performance. This feature is in Preview.
Limited support for Blockchain Node Engine
Starting June 15, 2026, Blockchain Node Engine will enter a period of limited support.
New node creation in Blockchain Node Engine and provisioning of new Blockchain RPC endpoints will be disabled.
Existing nodes and endpoints will continue to function and receive critical updates until the final shutdown date.
We recommend migrating your workloads to our partner, Quicknode, to avoid service disruption.
For more information, see the migration guide.
New filters and group-by options available in Cloud Billing Reports
Cloud Billing has added two filters to the Billing Reports page to help you analyze and understand your costs:
Products: Google Cloud Products consist of a group of SKUs (potentially from more than one Google Cloud Service) that work together and are sold as a single service, sometimes referred to as a logical product family or a subscription service. Examples include Gemini Enterprise and Firebase App Hosting.
Originating services: An Originating service is a Google Cloud service that causes usage in another service. For example, Google Kubernetes Engine (GKE) can cause usage in Compute Engine. In this use case, when you are viewing the Compute Engine usage and costs, GKE is an originating service when it causes usage in Compute Engine.
You can also Group by the new filters, to summarize your costs by the dimension you select.
Learn more about analyzing billing data and cost trends with Reports.
Learn how to view Gemini Enterprise costs in Cloud Billing reports.
The Envoy Compressor Filter is now GA in the rapid release channel.
To ensure your EnvoyFilter compressor configuration is fully supported, see
Modernize EnvoyFilter compressor configurations.
Preview: Before you create Spot VMs, you can view the following information for a specific machine type and location:
You can view the real-time obtainability and estimated uptime. This information helps you maximize your chances of successfully creating Spot VMs, as well as help ensure that your workload starts and runs efficiently.
You can view historical and current preemption rate and pricing. This information helps you compare and choose the configuration that best fits your workload needs and budget.
For more information, see View the availability of Spot VMs and View the preemption rate and pricing for Spot VMs.
Dataflow has updated and expanded its pipeline update features for streaming jobs:
update_strategy_parallel_job_update) and a standard
in-place update (update_strategy_in_place_update) while keeping all other
configuration the same.create_or_update_job experiment to enable automatic create-or-update
(upsert) behavior. If an active job with the specified name already exists,
it is updated. Otherwise, a new job is created.For more information, see Automated stop and replace, Automated parallel pipeline updates, and Automatic create or update (upsert) for templates.
Various bug fixes and minor product enhancements.
Gemini Enterprise: New data stores and support for new actions (Public Preview)
The following data stores are available in Public Preview:
Additionally, support for new actions is available for the following data stores:
For more information, see Connect a third-party data source.
Gemini Enterprise: Observability settings for individual agents (Preview)
You can now configure observability settings for individual agents in Agent Designer employee-made agents. This allows you to monitor metrics in Metrics Explorer and view trace results in Trace Explorer for specific agents.
Observability settings for individual agents are configured inside the agent-level settings. Previously, observability was only available at the application level, which applies to the Core Assistant agent.
This feature is in Public Preview. For more information, see Manage observability settings.
Advanced reporting dashboards 4.36
We've released version 4.36 of the advanced reporting dashboards.
New child queues filter option
Dashboards that have the Queue Name filter now also have a Child Queues checkbox. Select Yes if you want to include all child queues of the specified queue. There's also a new Child Queues (Yes / No) filter available in Explores that have the Queue Name filter.
The Agent & Queue Status (Live) Explore contains new real-time agent and queue metrics
The Agent & Queue Status (Live) Explore contains the following new metrics:
In Call: the number of agents currently on a call
Available / Waiting: the number of agents available and waiting for the next contact
Contacts in Queue: the number of calls currently waiting in the queue
Link directly to CSAT scores in your CRM from the CSAT dashboards
In the CSAT Interactions table of the CSAT - Calls and CSAT - Chats dashboards, next to the Session ID numbers, links to the associated CSAT scores in your CRM are now available. You can go directly to the CSAT scores without needing to search for them in your CRM.
For more information, see CSAT dashboards.
Updates to the Real-time Queue Monitoring - Calls dashboard
The Real-time Queue Monitoring - Calls dashboard now includes the following metrics tiles:
Total Rolled Over Pending Callbacks
Total Rolled Over Completed Callbacks
Avg CSAT Calls
For more information, see Queue monitoring dashboards.
Updates to the Queue Performance dashboards
The Queue Performance - Calls and Queue Performance - Chats dashboards now include the following:
A new Interaction Type filter
A new Interaction Type column in the Queue Detailed Table
The Queue Performance - Calls dashboard now includes the following metrics tiles:
Total Rolled Over Completed Callbacks
Total Rolled Over Pending Callbacks
Repeat contact data in the Queue Performance dashboards
The Queue Summary Table of the Queue Performance - Calls and Queue Performance - Chats dashboards now includes the following columns:
Total Repeat Contacts
Repeat Contact %
For more information, see Queue Performance dashboards.
The following issues were addressed in this release:
Fixed an issue where Repeat Contact % values in the Queue Summary Table of the Queue Performance - Calls dashboard exceeded 100%.
Fixed an issue where the Date filter in Explores returned no results when is on or after was set for an absolute date.
Removed the Total Logged in Time metrics tile from the Agent Availability dashboard.
Fixed an issue where language labels were missing from the advanced reporting dashboards.
Fixed an issue that occurred when filtering by chat ID in the All Interactions - Chats dashboard. The wrong chat ID appeared in the Virtual Agent Chats table.
Fixed an issue where disposition codes were missing or blank for outbound calls in the Call Agent Metrics (Historical) dashboard.
Starting with Distributed Cloud software only for VMware version
1.33.0-gke.799, you must add us.gcr.io to your firewall allowlist to
create or upgrade advanced clusters.
You can use the error ID provided in permission error messages to help troubleshoot access. Error IDs provide context for the error, including the principal, resource, permission, and supported IAM conditions. This feature is available in Preview.
For more information, see Permission error messages.
]]>Release 6.3.89 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Non-prioritized IoC Matching rules Category
Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.
For more information, refer to Non-prioritized IoC Matching rules category overview.
Non-prioritized IoC Matching rules Category
Google SecOps has introduced a new detection category, Non-prioritized IoC Matching rules, as part of the Curated Detections feature. These rule sets integrate with Google's Indicators of Compromise (IoC) feeds and build on curated threat intelligence to identify malicious activities within Google SecOps environments, specifically focusing on threats identifiable through high-fidelity indicators like IPs, domains, and file hashes.
This rules category provides comprehensive coverage for threats often missed by standard managed content, including cryptomining, Command and Control (C2) communications, and the use of malicious anonymization services.
For more information, refer to Non-prioritized IoC Matching rules category overview.
Release 6.3.88 is now available for all regions.
]]>BigQuery AI functions can use
ObjectRef values directly as input,
without calling the OBJ.GET_ACCESS_URL function.
This feature is
generally available
(GA).
All agent.googleapis.com/processes metrics are retained for 24 months. For
more information, see Data retention.
You can now create and query parameterized secure views in Cloud SQL for PostgreSQL.
Parameterized secure views let you use PostgreSQL views with more granular
access control over your data. While you can issue a GRANT statement to control
whether a user can query a PostgreSQL view, a GRANT statement doesn't let you
control the data that the view returns based on the user who is making the
query.
To gain this level of control, use parameterized secure views. You can define parameters such as a user ID or region within the view. When your application queries the view, a user can provide values for these parameters, which customizes the query results. Using parameterized secure views lets you enforce "least privilege" access to help ensure that your users interact only with the data that is relevant and authorized to them.
This feature is in Preview.
The following images are now rolling out for managed Cloud Service Mesh:
These rollouts will preempt those previously announced on June 3, 2026.
These patch releases contain the fix for the vulnerability listed in GCP-2026-035
Proxy version csm_mesh_proxy.20260423_RC03 for Gateway API on GKE clusters is rolling out to all Managed Cloud Service Mesh release channels over the next week.
Gemini Enterprise mobile app: General availability (GA) for Google Identity users
The Gemini Enterprise mobile app is generally available (GA) for organizations using Google Identity as their identity provider. Users can access their agents, search enterprise data, utilize voice features, and perform interactive actions from iOS and Android devices.
With this release, administrators can display a configuration QR code on the web app homepage to enable user access by scanning the QR code. For organizations using Microsoft Entra ID, access to the mobile app is in GA with allowlist.
To learn more, see Configure the mobile app and Use the mobile app.
Google Cloud CCaaS 4.40
We've released version 4.40 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue with Salesforce where virtual agent responses appeared out of order in transcripts.
Fixed an issue where the advanced reporting dashboards didn't load.
Fixed an issue where PDF and audio attachments weren't visible to agents after a chat transfer.
Fixed an issue where end-users were incorrectly placed on hold following a cold transfer to a queue.
Fixed an issue where MP3 audio files for agent call deflections couldn't be uploaded.
Fixed an issue where agents were automatically logged out due to inactivity while still engaged in active calls or chats.
Fixed an issue where a bulk user upload with blank phone number columns caused existing direct inbound phone numbers to become unassigned from agent profiles.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2681000 | cos-117-18613-613-40 | cos-117-18613-613-40 release notes |
| 1.31.14-gke.2074000 | cos-117-18613-613-40 | cos-117-18613-613-40 release notes |
| 1.33.12-gke.1166000 | cos-121-18867-381-161 | cos-121-18867-381-161 release notes |
| 1.35.5-gke.1241000 | cos-125-19216-395-55 | cos-125-19216-395-55 release notes |
| 1.36.0-gke.2459000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
[Spotlight Feature] Search for cases using SIEM Search
Google SecOps SIEM Search now provides robust capabilities for analyzing cases and case history alongside existing Unified Data Model (UDM) events and entities. This update allows security analysts to seamlessly correlate case details with other security telemetry within a single interface, streamlining workflows and accelerating incident response.
Key Highlights:
Unified Search Experience: Conduct searches across UDM events, entities, cases, and case history from a single SIEM Search interface.
Correlate SIEM and SOAR Data: Effortlessly link case details and historical activities with security data, reducing context switching and improving investigation efficiency.
For more information, see Search cases and case history.
[Spotlight Feature] Investigate detections in Google SecOps Search
Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation.
For more details, see Investigate detections in Search.
Asynchronous Search APIs for large datasets
Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results.
For more information, see Asynchronous Search APIs and Result limits for data sources.
[Spotlight Feature] Investigate detections in Google SecOps Search
Google SecOps Search now supports querying, filtering, and analyzing system-generated detections. When searching on events or entities, matching detections will now appear in the Alerts and Detections tab, providing a more holistic workflow for threat investigation.
For more details, see Investigate detections in Search.
Asynchronous Search APIs for large datasets
Google SecOps now supports asynchronous Search APIs that let you perform long-running queries without blocking your applications. This is ideal for searches that return a large volume of results.
For more information, see Asynchronous Search APIs and Result limits for data sources.
New Managed Airflow (Gen 2) environments created while the Restrict Endpoint Usage organization policy is active now use regional endpoints for services like Cloud Storage, Cloud Logging, Pub/Sub, and Data Lineage. For more information, see Configure environments with Restrict Endpoint Usage policy.
The maximum cacheable object size for Media CDN can be increased up to 1 TiB. To request a limit increase for your project, contact your Google support representative. This feature is Generally Available.
For more information, see Quotas and limits.
Media CDN lets you identify the country codes of the edge caches serving client requests. This feature is Generally Available.
For more information, see Custom headers.
The ability to remediate access issues with Policy Troubleshooter is generally available.
Added support for inspecting and de-identifying batched content. You can now include a BatchContentItem in your ContentItem requests.
You can monitor performance, analyze capacity, and optimize costs with Gemini Cloud Assist in BigQuery. This feature is in Preview.
Support for the
AI.KEY_DRIVERS function
is restored. You can use the
AI.KEY_DRIVERS function to identify segments of data that cause statistically significant changes to a summable metric.
This feature is in Preview.
In an autoscaled managed instance group (MIG), you can configure the stabilization period to manage how quickly the autoscaler deletes instances after a decrease in the load. This configuration can help optimize costs or maintain extra capacity based on your workload requirements. For more information, see Configure stabilization period.
The VMware Engine ve2 node type is now available in the following
additional region:
northamerica-south1)Siemplify: Version 109.0
Refactored the code in the following action:
Knowledge Catalog now supports data profile scans for unstructured data (such as PDFs in Cloud Storage) on existing BigQuery object tables. This feature uses Vertex AI Gemini models to extract semantic insights, including entities and relationships, from unstructured content.
For more information, see About unstructured data insights and Use data profile for unstructured data.
]]>Agent Assist offers Proactive generative knowledge assist V2 in GA. This version supports rich search context, multiple suggested queries, and granular control over triggering events.
BigQuery continuous queries now support the following aggregation functions:
Support for these functions is in Preview.
Multi-project access to Cloud Billing cost views available in Preview
In Cloud Billing accounts, multi-project access to usage costs lets project owners, solution owners, developers, and other non-billing admins see cost data for all of their authorized projects in a single view in the Cloud Billing console.
The multi-project view uses a combination of Cloud Billing account permissions and Google Cloud project permissions that let Cloud Billing administrators and organization administrators jointly control access to project-level cost data.
Using project-scoped Cloud Billing account permissions, Cloud Billing administrators can control which solution owners can view aggregated cost data in the Cloud Billing console.
The configuration option to not enroll your cluster in a release channel (known as No channel, formerly as Static) is now deprecated, and will be removed on June 14, 2027. For any clusters not enrolled in a release channel, we recommend that you enroll the cluster before this date. After the removal date, GKE will enroll all remaining clusters in the Stable channel. For more information about this deprecation and how you can achieve the same functionality with release channels, see Clusters not enrolled in a release channel.
Azure Security Center: Version 17.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connector:
Google Chronicle: Version 85.0
Updated partial batch handling and added dynamic batch sizing to prevent timeout loops, refactored logging and added monitoring signals for process health, and pipeline states, and improved detections batch parsing and processing efficiency in the following connector:
Integration: Updated authentication flow mechanism.
Google Cloud IAM: Version 20.0
Updated Predefined Widgets in the following widgets:
List Roles
List Service Accounts
Microsoft Azure Sentinel: Version 64.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Azure Sentinel Incident Connector v2
Microsoft Sentinel Incident Tracking Connector
Microsoft Defender ATP: Version 32.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Defender ATP Connector
Microsoft Defender ATP Connector V2
Microsoft Graph Mail: Version 42.0
Updated the logic for robust handling of transient upstream API errors and connection issues in the following connector:
Microsoft Graph Mail Delegated: Version 19.0
Updated the logic for robust handling of transient upstream API errors and connection issues in the following connector:
Microsoft Graph Security: Version 27.0
Announced deprecation notice. Connector will be deprecated on 30th March 2027. Only critical bug fixes will be considered. For more information refer to the documentation of individual connectors in the following connectors:
Microsoft Graph Office 365 Security and Compliance Connector
Microsoft Graph Security Connector
Protectwise: Version 7.0
Refactored the code in the following action:
Qualys VM: Version 28.0
Fixed AttributeError during parsing of multiple host lists and added fallback hostname matching in the following actions:
List Endpoint Detections
Enrich Host
Organization Policy Service custom constraints are generally available for Cloud Domains. For more information, see Use custom organization policies.
1.29.4-asm.0 is now available for in-cluster Cloud Service Mesh.
You can now download 1.29.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.29.4 subject to the list of supported features.
The following environment variables, labels, and annotations are not supported:
PILOT_IGNORE_RESOURCES and PILOT_INCLUDE_RESOURCESRetryIgnorePreviousHostsomit_empty_valuesPILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAYMAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP with the value 1PILOT_DNS_JITTER_DURATIONPILOT_DNS_JITTER_DURATIONENABLE_NATIVE_SIDECARS with the value truePILOT_IP_AUTOALLOCATE_IPV4_PREFIX and PILOT_IP_AUTOALLOCATE_IPV6_PREFIXPILOT_DNS_CARES_UDP_MAX_QUERIESENABLE_WILDCARD_HOST_SERVICE_ENTRIES_FOR_TLSENABLE_DEBUG_ENDPOINT_AUTHDISABLE_TRACK_REMAINING_CB_METRICSgateway.istio.io/tls-cipher-suitesfileFlushMinSizeKB and fileFlushInterval settings in ProxyConfigtopology.istio.io/localitystatsCompression ProxyConfig optionproxy.istio.io/config annotation for metric compression overridesIstio's experimental feature to enable lazy subset creation of envoy statistics is not supported.
The formatter option within the spec.tracing[].customTags field of the
Telemetry custom resource (telemetry.istio.io) is unsupported.
The istiod_remote_cluster_sync_status Prometheus gauge metric, exposed on the
Istiod control plane metrics endpoint (port 15014 /metrics), is not
supported.
The following are unsupported for proxyless gRPC clients:
Configuring the LEAST_REQUEST load balancing policy within the
spec.trafficPolicy.loadBalancer.simple field of a DestinationRule custom
resource (networking.istio.io)
Configuring the http2MaxRequests circuit breaker within the
spec.trafficPolicy.connectionPool.http.http2MaxRequests field of a
DestinationRule custom resource (networking.istio.io)
The ENABLE_AUTO_SNI flag is still supported to keep aligned with the legacy
behavior.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.29.4-asm.0 uses Envoy v1.37.4-dev.
In-cluster Cloud Service Mesh 1.26 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.
A vulnerability (CVE-2025-10263) about bypass of translation stages or GPT protections in some Arm core families was discovered and has been addressed. For more information, see the GCP-2026-036 security bulletin.
Various bug fixes and minor product enhancements.
Gemini Enterprise: Share agents with Google Groups
End users can share agents created using Agent Designer with Google Identity groups, provided an administrator has enabled this feature for the Gemini Enterprise app.
This feature is generally available (GA). For more information, see Share an agent.
Anthropic's Claude Fable 5
Claude Fable 5 is available in Model Garden.
Mobile SDK for Android version 2.15.3 patch
We've released version 2.15.3 of the Mobile SDK for Android.
This release addresses the following issues:
Fixed an issue where UjetWebFormCallback in the Android SDK lacked the
necessary methods to pass form data.
Fixed an issue where chat messages and content cards in the Mobile SDK displayed out of order.
Fixed an issue where the Android SDK didn't start a new chat session after the previous session ended.
Fixed an issue where customers couldn't customize the Android SDK to display the timeout message to end-users.
UDM fields now show the sources of enrichment
The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.
For more information, see: Viewing events.
UDM fields now show the sources of enrichment
The new Enrichment feature introduces improvements for managing and understanding your data. Each UDM field is now labeled with an icon to indicate its data source: U for unenriched fields and E for enriched fields. Enriched fields contain additional metadata values that indicate the source of the enriched data.
For more information, see: Viewing events.
The backup capabilities for ONTAP-mode are generally available (GA). For more information, see About backups.
Google Cloud NetApp Volumes remote Model Context Protocol (MCP) server is generally available. NetApp Volumes remote MCP server lets you manage storage pools, volumes, backup vaults, backup policies, backups, and snapshots from LLMs, AI applications, and AI-enabled development platforms. For more information, see Use the NetApp Volumes remote MCP server and NetApp Volumes MCP Reference.
NCC Gateway is generally available.
NCC Gateway lets you enable security functions, such as third-party Security Service Edge (SSE), for cross-cloud network traffic. You can use Secure Access Connect with NCC Gateway to securely connect remote workforces to private applications in Google Cloud, on-premises, or other cloud providers and to public applications, like Palo Alto Networks Prisma Access.
For information about pricing, see NCC Gateway pricing.
Policy Simulator for deny policies is generally available.
The Pub/Sub Lite to Managed Service for Apache Kafka migration guide has been updated to use the latest client libraries and to use Kafka Connect in Managed Service for Apache Kafka.
]]>On June 8th, 2026, we released an updated version of Apigee (1-17-0-apigee-9).
| Bug ID | Description |
|---|---|
| 514384893 | Security fix for Apigee. Hardened the Script policy to block server-side request forgery (SSRF) to link-local addresses. |
| N/A | Security fix for Apigee infrastructure. |
| Bug ID | Description |
|---|---|
| 512850756 | Added observability metrics for the OpenTelemetry trace export pipeline, reporting spans exported, export latency, batch size, and dropped spans. |
| 515039499 | Fixed an issue where OpenTelemetry trace export over HTTP could fail to authenticate when sent through a forward proxy that requires basic authentication. |
On June 8, 2026 we released an updated version of the Apigee hybrid software, v1.16.5.
Various security and CVE fixes are included in this release.
App Hub support for resources from Memorystore is now generally available (GA).
You can analyze data lineage with Gemini Cloud Assist in BigQuery. This feature is in Preview.
You can now use Gemini Cloud Assist to schedule queries. This feature is in Preview.
You can use the Google-developed, open source Java Database Connectivity (JDBC) driver for BigQuery to connect your Java applications to BigQuery. This feature is generally available (GA).
You can use custom constraints with Organization Policy to provide more granular control over specific fields for some BigQuery sharing resources. For more information, see Manage Sharing data exchanges and listings using custom constraints. This feature is generally available (GA).
IAM deny policies for BigQuery are now generally available (GA).
You can manage and limit the costs associated with BigQuery generative AI functions by configuring daily token quotas. Token-based cost management for BigQuery generative AI functions is generally available (GA).
FOCUS billing data export to BigQuery available in Preview
Cloud Billing data export to BigQuery now offers a FOCUS billing data export available in Preview. The FinOps Open Cost and Usage Specification (FOCUS) is an open specification that defines clear requirements for technology billing data generators to produce consistent cost and usage datasets. The Google Cloud billing data export using the FOCUS specifications includes FOCUS columns up to FOCUS version 1.2.
For more information about the FOCUS billing data export to BigQuery, refer to the following documentation:
Cloud SQL for MySQL managed buffer pool
is now generally available (GA).
Managed buffer pool helps you avoid out-of-memory events (OOMs) on your
Cloud SQL instance by reducing innodb_buffer_pool_size when memory usage is high.
1.28.7-asm.4 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.7-asm.4 uses Envoy v1.36.8-dev.
1.27.9-asm.5 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.9-asm.5 uses Envoy v1.35.12-dev.
1.26.8-asm.11 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2026-035.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.11 uses Envoy v1.34.14.
The rollouts previously announced on June 3, 2026 have been stopped. The following release will supersede them and include those patches and the fix for the vulnerability listed in GCP-2026-035.
The Trace API supports regional endpoints. For a list of supported endpoints, see the REST API reference pages:
The workstation configuration creation page in the Google Cloud console has been optimized to make configuration creation faster and easier. Common machine settings are grouped into selectable machine presets, frequently used settings are consolidated on the Configuration essentials landing page, and a pending cluster with default settings is automatically provisioned when no cluster exists in your selected region.
Generally available: The C4D machine series supports Hyperdisk Balanced High Availability disks.
For more information, see About Hyperdisk Balanced High Availability and Performance limits for machine series.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43492 in the Linux kernel.
Fixed CVE-2026-43496 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-45837 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46061 in the Linux kernel.
Fixed CVE-2026-46062 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46072 in the Linux kernel.
Fixed CVE-2026-46076 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46108 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46128 in the Linux kernel.
Fixed CVE-2026-46129 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46135 in the Linux kernel.
Fixed CVE-2026-46139 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46159 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46177 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46193 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46243 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.90 | v27.5.1 | v2.2.3 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Gemini 3.5 Flash is now generally available to Gemini Code Assist users in VS Code and IntelliJ. You can use this model for agent mode, chat, and code generation.
Gemini 3.5 Flash is now generally available to Gemini Code Assist users in VS Code and IntelliJ. You can use this model for agent mode, chat, and code generation.
Gemini Enterprise: Gemini 3.5 Flash feature management toggle is no longer available after June 16, 2026
Starting June 16, 2026, the Gemini 3.5 Flash feature management toggle is no longer available. This change applies to the Global, US, and EU multi-regions.
Google Cloud CCaaS 4.39
We've released version 4.39 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue with Salesforce where cases weren't created when a virtual agent connected to a call.
Fixed an issue where agents on teams with transfer restrictions couldn't transfer chats to agents not assigned to a team.
Fixed an issue where agents who weren't available for chat transfers still appeared in the transfer list, causing transfer attempts to fail.
Fixed an issue where the Submit wrap-up button didn't appear in the call adapter after agents completed outbound calls.
Fixed an issue where an agent and caller could still hear each other after the agent placed the caller on hold.
Fixed an issue in the agent desktop that occurred after an agent transferred a call to a different queue. The agent desktop layout of the source queue displayed to the receiving agent instead of the layout of the destination queue.
Fixed an issue where the reporting for After Call Work (ACW) time was artificially high for calls transferred to a third party.
Fixed an issue where overcapacity deflection settings interfered with after-hours deflections, causing calls to be incorrectly queued.
Fixed an issue where the inactivity timeout didn't function as configured.
Several API dependencies that aren't required by Managed Airflow (Gen 3) are now phased out and must be enabled separately if you want to create Managed Airflow (Gen 2) environments in a new project. This change was announced previously.
The following API dependencies were phased out:
The following API dependencies aren't phased out yet and are scheduled to be detached from the Cloud Composer API in the future:
Existing Managed Airflow (Gen 3) and Managed Airflow (Gen 2) environments in projects where the Cloud Composer API is already enabled aren't impacted.
You can do the following:
Cloud Network Insights is in General Availability.
Cloud Network Insights monitors your network and web application performance across multicloud and hybrid networks and provides visualization tools to help identify and diagnose network issues.
The following additional features are included in this release:
Compute Engine VM Monitoring Points: deploy a Monitoring Point optimized for Google Cloud directly to your Google Cloud infrastructure using Terraform.
Connectivity Tests support: run Connectivity Tests from Cloud Network Insights to validate connectivity between endpoints of some dual-ended network paths.
The OBJECT_TYPE/PERSON/SIGNATURE infoType detector is available in global and the asia, europe, and us multi-regions. For more information about all infoTypes, see InfoType detector reference.
Agent Search: Prefix and partial matching for filtering search queries (Preview)
You can configure schema fields to support prefix matching and partial matching in filter expressions:
Prefix matching lets you filter search results based on whether a field value starts with a specific string.
Partial matching lets you filter results based on whether the query contains
some of the words in the field value. Partial matching doesn't require a
perfect match like the ANY operator does.
This feature is in Public Preview. For more information, see Configure field settings.
Agent Search: EXISTS filter for filtering search queries (Preview)
You can use the EXISTS filter to filter search results for documents.
Specifying EXISTS for a field means that a document can only be returned in a
search request if the field has a value and that value is not the default.
This
filter is available for custom search and for media search. Use EXISTS with
other filters such as ANY and IN to create expressions to scope the
documents that can be returned in a search query.
This feature is in Public Preview. For more information, see Filter custom search for structured or unstructured data, Filter website search, and Filter media search.
]]>Release 6.3.88 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Cloud Location Finder is generally available (GA).
Release 6.3.87 is now available for all regions.
General availability support for the following integration:
]]>Cloud Data Fusion version 6.11.1.3 is generally available (GA).
Fixed in Cloud Data Fusion 6.11.1.3:
Fixed an issue that caused pipeline preview runs to fail with an
InaccessibleObjectException when using certain plugins, such as
Cloud SQL for PostgreSQL
(CDAP-21212).
Fixed an issue causing custom plugins to lose their logging context when running in parallel pipeline branches, ensuring consistent log propagation across both linear and parallel branched pipeline executions (CDAP-21245).
Fixed critical security vulnerabilities in CDAP (CDAP-21250).
Improved the latency of the List pipelines page (CDAP-21244).
Fixed an issue causing intermittent service unavailability after instance upgrades (CDAP-21254).
Changes in Cloud Data Fusion 6.11.1.3:
deployStrategy query parameter in the
Deploy Application API
to skip the re-deployment of an existing pipeline if its configuration hasn't
changed
(CDAP-21246).Custom dashboards can display trace data. You can view individual spans or aggregated data. This feature is public preview. For more information, see the following:
Custom dashboards can display trace data. You can view individual spans or aggregated data. This feature is public preview. For more information, see Display traces on a custom dashboard.
Gemini Enterprise: Asana data store (Preview)
The Asana data store is available in Public Preview in Gemini Enterprise.
You can connect an Asana account to search and read projects, workspaces, teams, and tasks using natural language. You can also perform actions, such as creating projects and tasks, directly from the Gemini Enterprise app.
For more information, see Connect Asana.
Gemini Enterprise: Administrator control for Gemini 3.5 Flash
As a reminder, effective June 9, 2026, the feature management toggle for Gemini 3.5 Flash is no longer available. Gemini 3.5 Flash is enabled by default for all users in the Gemini Enterprise app and cannot be disabled.
This change applies to the Global, US, and EU multi-regions.
Google Distributed Cloud (software only) for bare metal 1.33.900-gke.90 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.33.900-gke.90 runs on Kubernetes v1.33.11-gke.100.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.33.900-gke.90:
Starting June 1, 2026, the Data Catalog service begins a phased shutdown. From this date onward, you might experience disruptions or a complete lack of access to Data Catalog APIs. Knowledge Catalog (formerly known as Dataplex Catalog) operates without impact.
For more information about migrating from Data Catalog to Knowledge Catalog, see Transition from Data Catalog to Knowledge Catalog.
AI Protection supports data residency in the European Union (EU) for the Security Command Center Premium tier.
For more information, see Planning for data residency.
The following Security Command Center finding category names from AI Protection have new names that clarify that AI Protection detects Gemini foundation models:
VERTEX_AI_MODEL_DETECTED changes to GEMINI_MODEL_DETECTED.VERTEX_AI_MODEL_NOT_PROTECTED_BY_MODEL_ARMOR changes to
GEMINI_MODEL_NOT_PROTECTED_BY_MODEL_ARMOR.For more information about AI Protection findings, see AI Protection overview.
]]>Addressed multiple Common Vulnerabilities and Exposures (CVEs) by updating dependencies.
To view the instrumentation scope or the schema associated with a span, open the Details view for the span and select the Metadata & Links tab. For more information, see View attributes, log entries, and events.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-43503 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
Updated minijail to r188.
Fixed CVE-2026-43303 in the Linux kernel.
Fixed CVE-2026-43499 in the Linux kernel.
Fixed CVE-2026-45838 in the Linux kernel.
Fixed CVE-2026-45839 in the Linux kernel.
Fixed CVE-2026-45841 in the Linux kernel.
Fixed CVE-2026-45842 in the Linux kernel.
Fixed CVE-2026-45843 in the Linux kernel.
Fixed CVE-2026-45844 in the Linux kernel.
Fixed CVE-2026-45987 in the Linux kernel.
Fixed CVE-2026-45991 in the Linux kernel.
Fixed CVE-2026-45997 in the Linux kernel.
Fixed CVE-2026-46005 in the Linux kernel.
Fixed CVE-2026-46015 in the Linux kernel.
Fixed CVE-2026-46021 in the Linux kernel.
Fixed CVE-2026-46033 in the Linux kernel.
Fixed CVE-2026-46037 in the Linux kernel.
Fixed CVE-2026-46040 in the Linux kernel.
Fixed CVE-2026-46046 in the Linux kernel.
Fixed CVE-2026-46050 in the Linux kernel.
Fixed CVE-2026-46051 in the Linux kernel.
Fixed CVE-2026-46065 in the Linux kernel.
Fixed CVE-2026-46070 in the Linux kernel.
Fixed CVE-2026-46082 in the Linux kernel.
Fixed CVE-2026-46086 in the Linux kernel.
Fixed CVE-2026-46089 in the Linux kernel.
Fixed CVE-2026-46094 in the Linux kernel.
Fixed CVE-2026-46101 in the Linux kernel.
Fixed CVE-2026-46102 in the Linux kernel.
Fixed CVE-2026-46106 in the Linux kernel.
Fixed CVE-2026-46107 in the Linux kernel.
Fixed CVE-2026-46115 in the Linux kernel.
Fixed CVE-2026-46116 in the Linux kernel.
Fixed CVE-2026-46120 in the Linux kernel.
Fixed CVE-2026-46124 in the Linux kernel.
Fixed CVE-2026-46131 in the Linux kernel.
Fixed CVE-2026-46132 in the Linux kernel.
Fixed CVE-2026-46149 in the Linux kernel.
Fixed CVE-2026-46150 in the Linux kernel.
Fixed CVE-2026-46155 in the Linux kernel.
Fixed CVE-2026-46161 in the Linux kernel.
Fixed CVE-2026-46172 in the Linux kernel.
Fixed CVE-2026-46173 in the Linux kernel.
Fixed CVE-2026-46174 in the Linux kernel.
Fixed CVE-2026-46176 in the Linux kernel.
Fixed CVE-2026-46185 in the Linux kernel.
Fixed CVE-2026-46195 in the Linux kernel.
Fixed CVE-2026-46196 in the Linux kernel.
Fixed CVE-2026-46209 in the Linux kernel.
Fixed CVE-2026-46214 in the Linux kernel.
Fixed CVE-2026-46234 in the Linux kernel.
Fixed CVE-2026-46300 in the Linux kernel.
Custom extractor offers document validation and correction in Preview.
This feature allows you to enhance extraction accuracy with validation rules and document data using Common Expression Language (CEL) dialect.
For more information, see CEL dialect for document validation.
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.34.8-gke.1218000 | cos-125-19216-395-7 | cos-125-19216-395-7 release notes |
| 1.36.0-gke.2684000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
GKE Gateway now supports frontend mTLS (client certificate validation). Frontend mTLS allows the Gateway to authenticate client-presented certificates. This feature is available for the following GatewayClasses:
gke-l7-global-external-managedgke-l7-regional-external-managedgke-l7-rilbFor more information, see Configure frontend mTLS for a Gateway.
You can use the lookupContext method to retrieve a pre-formatted bundle of data asset context optimized for interactive agentic workflows. This LLM-ready context helps to ground your agents in assessing and using data assets.
This feature is available in preview.
For more information, see Retrieve context for data assets.
Looker 26.10 is expected to include the following changes, features, and fixes:
An issue has been fixed where clicking Save and Schedule on an Explore could fail to load the Schedule dialog in a Looker (Google Cloud core) instance. This feature now performs as expected.
An issue has been fixed where cross filters didn't properly appear in the right-aligned filter bar. This feature now performs as expected.
An issue has been fixed where attempting to download or schedule the Recent Login Failures tile on the User Activity System Activity dashboard could fail. This feature now performs as expected.
An issue has been fixed where users were unable to scroll dashboards when the filter bar was open. This feature now performs as expected.
An issue has been fixed where dragging a dashboard tile horizontally could cause the tile to expand beyond the browser window. This feature now performs as expected.
An issue has been fixed for filters on custom calendar fields that was causing a SQL error when the custom calendar dimension_group or the custom calendar reference_date had a non-timestamp datatype specified. This feature now performs as expected.
An issue has been fixed where configuring remote dependencies with custom SSH ports for on-premise Git repositories could fail. This feature now performs as expected.
An issue has been fixed where applying string matching filters (such as Contains or Starts With) with an empty value could generate incorrect filter SQL. This feature now performs as expected.
An issue has been fixed where the labels that were specified in the PDT Override Additional JDBC Parameters field weren't being applied to BigQuery table creation jobs. This feature now performs as expected.
An issue has been fixed where changes to Markdown files weren't saved when you switched between Edit and Preview mode. This feature now performs as expected.
An issue has been fixed where running queries against derived tables in SQL Runner could cause Looker to return a 500 error. This feature now performs as expected.
An issue has been fixed where the right-aligned filter bar could become wide enough to require a scroll bar if a range slider filter was added. This feature now performs as expected.
An issue has been fixed where right-clicking in a drill-down menu during a cookieless embed session could incorrectly close the menu. This feature now performs as expected.
An issue has been fixed where retrieving all schemas for a Denodo connection could overload the database CPU. This feature now performs as expected.
An issue has been fixed where the Unsubscribe link could fail to appear in a scheduled report email. This feature now performs as expected.
An issue has been fixed where the Advanced Vis Config editor would not recognize the plotOptions.column.borderRadius option. This feature now performs as expected.
An issue has been fixed where dashboard filters could fail to be updated from inactive to active color highlighting when certain types of date inputs were present. This feature now performs as expected.
An issue has been fixed where visualizations could overflow instead of shrinking when a tile or browser was resized. This feature now performs as expected.
When you edit a visualization, the Advanced Vis Config editor can now override default theme border and padding styles. This feature now performs as expected.
An issue has been fixed where a join wouldn't be added to a query if the join was required by a measure that was excluded from an Explore. This feature now performs as expected.
An issue has been fixed where period-over-period (POP) measures of types previous and difference that were based on count and sum measures would incorrectly return null instead of zero when no data was available for the comparison period. This feature now performs as expected.
An issue has been fixed where filter suggestions on dashboard filters could incorrectly retain previous filter values. This feature now performs as expected.
An issue has been fixed where setting a field name or an Explore name in a LookML dashboard as a non-string datatype could cause the LookML validator to return a 500 error. This feature now performs as expected.
An issue has been fixed where the button group dashboard filter type could display more than 30 options, cluttering the UI. This feature now performs as expected.
An issue has been fixed where moving a filter by dragging it could also inadvertently highlight text. This feature now performs as expected.
An issue has been fixed where some PDT settings were unavailable when you created a BigQuery connection by using the Quickstart flow in a Looker (Google Cloud core) instance. This feature now performs as expected.
Period-over-period (PoP) measures are now supported on connections to Trino databases.
Memorystore for Valkey has additional node-level metrics for Cloud Monitoring. These metrics offer detailed insights into the health and performance of individual nodes within an instance. You can use the metrics to troubleshoot issues with the nodes to optimize their performance. The metrics are available in Preview.
Google Cloud's Agent for SAP version 3.15
Version 3.15 of Google Cloud's Agent for SAP is generally available (GA). This version updates the libraries in the agent's GitHub repository to address vulnerabilities when you're building the agent from its GitHub source.
For more information, see What's new with Google Cloud's Agent for SAP.
reCAPTCHA Mobile SDK v18.9.1 is available for iOS. This version fixes symbol collisions with libraries using Objective-C protos.
]]>App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
App Engine supports Direct VPC egress in Preview. Direct VPC egress lets your workloads access VPC network resources as a simpler, more cost-effective alternative to Serverless VPC Access connectors.
BigQuery fluid scaling, which provides per-second billing with no minimum duration for autoscaling reservations, is generally available (GA).
1.28.7-asm.3 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.28.7-asm.3 uses Envoy v1.36.7-dev.
Patch 1.28.7-asm.3 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
1.27.9-asm.4 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.27.9-asm.4 uses Envoy v1.35.10-dev.
Patch 1.27.9-asm.4 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2022-31045 | Yes | Yes | Yes | Yes | Medium (9.8) |
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2019-14993 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39155 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39156 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2022-23635 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
The following images are now rolling out for managed Cloud Service Mesh:
These patch releases contain the fixes for the following CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
1.26.8-asm.10 is now available for in-cluster Cloud Service Mesh.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh 1.26.8-asm.10 uses Envoy v1.34.14.
Patch 1.26.8-asm.10 contains fixes for the following platform CVEs:
| CVE | Proxy | Control Plane | Distroless | CNI | Severity |
|---|---|---|---|---|---|
| CVE-2022-31045 | Yes | Yes | Yes | Yes | Medium (9.8) |
| CVE-2026-27143 | Yes | Yes | Yes | Yes | Critical (9.8) |
| CVE-2026-31789 | Yes | Yes | No | Yes | Low (9.8) |
| CVE-2026-27140 | Yes | Yes | Yes | Yes | High (8.8) |
| CVE-2026-28387 | Yes | Yes | No | Yes | Low (8.1) |
| CVE-2026-41413 | Yes | Yes | Yes | Yes | Medium (7.7) |
| CVE-2019-14993 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39155 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2021-39156 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2022-23635 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-2219 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-27135 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-28388 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28389 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-28390 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-29181 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-31790 | Yes | Yes | No | Yes | Medium (7.5) |
| CVE-2026-32280 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32281 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-32283 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33811 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-33814 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-34986 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39820 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-39836 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4046 | No | No | Yes | No | High (7.5) |
| CVE-2026-42499 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-42501 | Yes | Yes | Yes | Yes | High (7.5) |
| CVE-2026-4437 | No | No | Yes | No | High (7.5) |
| CVE-2026-5773 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-6276 | Yes | Yes | No | Yes | Low (7.5) |
| CVE-2026-27144 | Yes | Yes | Yes | Yes | High (7.1) |
| CVE-2026-39883 | Yes | Yes | Yes | Yes | High (7.0) |
| CVE-2026-4878 | Yes | Yes | No | Yes | Medium (7.0) |
| CVE-2026-5545 | Yes | Yes | No | Yes | Medium (6.5) |
| CVE-2026-32282 | Yes | Yes | Yes | Yes | Medium (6.4) |
| CVE-2026-32289 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39823 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39826 | Yes | Yes | Yes | Yes | Medium (6.1) |
| CVE-2026-39817 | Yes | Yes | Yes | Yes | Medium (5.9) |
| CVE-2026-4873 | Yes | Yes | No | Yes | Low (5.9) |
| CVE-2026-6253 | Yes | Yes | No | Yes | Medium (5.9) |
| CVE-2026-32288 | Yes | Yes | Yes | Yes | Medium (5.5) |
| CVE-2026-39350 | Yes | Yes | Yes | Yes | Medium (5.4) |
| CVE-2026-4438 | No | No | Yes | No | Medium (5.4) |
| CVE-2026-39819 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-39825 | Yes | Yes | Yes | Yes | Medium (5.3) |
| CVE-2026-6429 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-7168 | Yes | Yes | No | Yes | Medium (5.3) |
| CVE-2026-35469 | No | Yes | No | Yes | High (0.0) |
| CVE-2026-5958 | Yes | Yes | No | Yes | Medium (0.0) |
Generally available: You can gradually create Flex-start VMs in a managed instance group (MIG) as capacity becomes available. Unlike resize requests for MIGs that wait for full capacity before creating VMs, this method might create only a portion of your requested Flex-start VMs if capacity is unavailable. The MIG creates the remaining VMs later as capacity permits. Flex-start VMs run for up to seven days and help you obtain high-demand resources, such as GPUs, at a discounted price.
For more information, see Create a MIG that uses Flex-start VMs.
Various bug fixes and minor product enhancements.
Gemini Enterprise: DRZ and MLP compliance in the EU for NotebookLM Enterprise
Gemini Enterprise is compliant with data residency (DRZ) and machine learning processing (MLP) requirements in the EU for NotebookLM Enterprise for adding sources and interacting with the sources (chat). However, the Discover Sources feature and Studio features, such as audio overview, slide deck, infographic, video overview, mind map, and reports, are not MLP compliant.
For more information on location limitations, see NotebookLM limitations.
Google Cloud CCaaS 4.38
We've released version 4.38 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Sort and filter emails
Agents can now sort and filter emails by date in the email adapter.
User experience changes: The email adapter has the following new UI elements:
A button to toggle between Oldest to newest and Newest to oldest in the email list.
A Filter by Date list to filter by preset filters or by a configurable date range.
For more information, see Email lists.
This release addresses the following issues:
Fixed an issue where Canadian French translations for notifications and error messages were appearing in English.
Fixed an issue where the Alvaria WFM Agent Performance report was exporting every minute instead of once daily.
Fixed an issue where the Agent Preferences table on the Agent Availability dashboard didn't update when an agent modified their availability preferences.
Fixed an agent desktop issue where clicking the Transfer button in an SMS chat displayed an error instead of starting a transfer.
Fixed an issue where a delay in Salesforce task creation caused a lag in updating the ticket ID on calls.
Fixed an issue where agents were unable to transfer SMS chats.
Fixed an issue where incoming chats were routed to newly signed-in agents instead of to those who had been available the longest.
Fixed an issue where messages in the chat adapter's chat history weren't labeled or aligned to distinguish agent messages from end-user messages.
Fixed an issue in the IVR Queue Menu Settings pane where the text input field didn't appear when users selected Text-to-speech.
Fixed an issue in the SMS Queue Menu Settings pane where phone numbers weren't appearing in the incoming and outbound Assigned Numbers fields.
Fixed an issue where the web SDK didn't load.
Fixed an issue where live transcripts and conversation summarization didn't display in the agent desktop following an instance update.
AlienVault USM Appliance: Version 28.0
ConnectWise: Version 23.0
Google Chronicle: Version 84.0
Jira: Version 58.0
ServiceDesk Plus: Version 10.0
ServiceDesk PlusV3: Version 10.0
ServiceNow: Version 67.0
Siemplify: Version 245.0
MISP: Version 275.6
Microsoft Sentinel Incident Tracking Connector: Version 29.0
Incident Creation Time Filter (days) advanced parameter and optimized error handling logic.You can use Policy Analyzer to visualize allow policy queries. This can help you understand the relationship between identities, roles, permissions, and resources within your resource hierarchy.
Policy Analyzer supports queries about agent identities. You can see who can access an agent or what resources and agents a specific agent can reach.
These features are available in in Preview.
For more information, see Analyze allow policies.
Added support for inspecting and de-identifying conversational content. You can now include a Conversation in your ContentItem requests.
Preview stage support for the following integration:
]]>You can now configure a cooldown period to determine when autoscaling occurs for your read pool instances. For more information, see Scale an instance.
On June 2nd, 2026, we released an updated version of Apigee Cassandra.
| Bug ID | Description |
|---|---|
| Apigee Cassandra security update | Security fix for Apigee Cassandra infrastructure. This addresses the following vulnerabilities: |
Remote functions now support a custom path in the endpoint URL. You can reuse a single Cloud Run service for multiple BigQuery remote functions by specifying different path suffixes on the same endpoint. This feature is generally available (GA).
A single-region Critical production SLA for Cloud Interconnect is Generally Available.
For workloads that require 99.99% availability within a single region, you can now configure a single-region topology that achieves the Critical production SLA.
For more information, see Establish 99.99% availability for Dedicated Interconnect or the Cross-Cloud Interconnect overview.
TLS post-quantum key exchange support is now available for
Application Load Balancers and external proxy Network Load Balancers.
Post-quantum key exchange is
essential for protecting today's traffic from future quantum computing
decryption risks (harvest now, decrypt later attacks).
With post-quantum key exchange enabled, the
load balancer uses post-quantum key exchange with clients that support TLS
1.3 and X25519MLKEM768 key exchange.
This feature is rolling out in three phases:
Phase 1 (Until October 2026): Post-quantum key exchange is not enabled by default. Customers can elect to opt in and enable it using their SSL policy.
Phase 2 (October 2026 through October 2027): The feature is enabled by default. Customers can elect to defer (opt out) if required.
Phase 3 (After October 2027): The feature is enabled by default, and options to defer are no longer effective.
We strongly encourage you to enable post-quantum key exchange now, even before it is turned on by default. The opportunity to test this today will help you verify that clients and any intermediate network devices can properly negotiate post-quantum key exchange.
For more information, see Post-quantum key exchange.
Support for Histogram widgets on custom dashboards is generally available. These widgets extract the most recent value from each time series, group those values into ranges, and then provide a graphical representation of the result. Unlike tables or other widgets that display the most recent values, Histograms display information about the relative frequency of ranges of values.
This widget is one of several visualizations that you can use to display the most recent values. For more information, see the following documents:
The create-observability bucket flow enforces organization policies with constraints on resource locations. This flow also enforces policies that require customer-managed encryption keys (CMEKs) and that restrict the projects that store those keys. Your trace data is stored in an observability bucket.
For more information, see the following:
Datastream now offers a free tier for change data capture (CDC) data processed from Google Cloud sources, such as AlloyDB for PostgreSQL and Spanner. You get the first 100 GiB of CDC data for free per billing account, per month.
For more information, see the Pricing page.
You can configure your Filestore instances to use Private Service Connect with NFSv3 or NFSv4.1 file system protocols and IPv4 or IPv6 address families to allow consumers access managed services privately from inside their VPC network. This feature is generally available.
For more information, see Create a Filestore instance with Private Service Connect.
Gemini Enterprise: Gemini 3 pro image (Nano Banana Pro) and Gemini 3.1 flash image (Nano Banana 2) for image generation
Gemini 3.1 flash image (Nano Banana 2) and Gemini 3 pro image (gemini-3.0-pro-image) are generally available (GA) in Gemini Enterprise app.
To make these models available to users in your Gemini Enterprise app, a Gemini Enterprise administrator can manage them in the feature controls:
Gemini 3 pro image (Nano Banana Pro): Turned off by default and is only available in the Global region.
Gemini 3.1 flash image (Nano Banana 2): Turned off by default and is only available in the Global region. If an administrator turned on this model during its Public Preview, it remains turned on in GA in the Gemini Enterprise app.
For more information about feature controls, see Manage features on the web app.
Updates to abuse monitoring and zero data retention documentation
Documentation for abuse monitoring, zero data retention, and responsible AI has been updated to align with the Advanced AI Safety Addendum. These updates include new details regarding Advanced AI safety, partner-specific terms, and request-response logging for models like Claude Mythos and Opus.
For more information, see:
GKE is introducing the following changes to expand the capabilities of maintenance exclusions:
For more information, see Maintenance exclusions.
(Managed Airflow Gen 3) You can now access Cloud Run endpoints restricted to internal ingress traffic through your environment's network attachment. This feature is available through gcloud CLI beta commands and beta Cloud Composer API in all Managed Airflow (Gen 3) versions.
Google Cloud NetApp Volumes Flex Unified service level is available with limited performance in the following region:
For more information about limited performance regions, see Supported regions for Flex Unified limited performance.
]]>Agent Assist offers summarization with custom sections 6.0 in GA. The 6.0 version is powered by gemini-3.5-flash and available in all Agent Assist regions.
Agent Assist offers summarization autoevaluation with more rubrics for evaluating completeness. This update also explains the use of N/A in the overall performance view.
Summarization autoevaluation is available in the following additional regions:
The Facebook Ads connector for the BigQuery Data Transfer Service now supports data transfers from the following Facebook Ads reports:
AdInsightsMMMAdsAdCreativesAdSetsCampaignsAdImagesAdLabelsBusinessesCustomAudiencesCUD Analysis is Generally Available
CUD Analysis has reached general availability (GA). This tool supports the new spend-based CUD model and provides a unified interface for customers to examine both spend-based and resource-based CUDs. It offers a consolidated view of Compute resources including the benefits of both resource-based and spend-based CUDs.
You can use this tool to do the following:
For more information, see Analyze the effectiveness of your CUDs.
A modernized, component-centric interface for Cloud Load Balancing is available in Preview. This inaugural release provides an expanded perspective of load balancing infrastructure, offering enhanced transparency into individual component configurations.
The key features of this release include the following:
Comprehensive resource inventory: A centralized, searchable, and sortable management layer for granular resources—including forwarding rules, target proxies, and TLSRoutes—facilitating detailed monitoring of resource status and interdependencies.
Interactive resource topology: A contextual visualization tool that maps traffic flow from forwarding rules through proxies to backends, enabling technical teams to efficiently analyze dependencies and accelerate issue resolution.
Integrated audit logging: Embedded audit logs within the console that offer a unified module for monitoring and tracking historical configuration changes.
The details page for a span can display the call hierarchy of a trace by using a directed acyclic graph (DAG). If you view an Application Monitoring dashboard and explore the trace data that it displays, the flyout supports the DAG option. If you open the Trace Explorer page and explore a span, the DAG option is also available.
For more information, see the following:
Generally available: Compute Engine supports Google's custom-developed accelerator Tensor Processing Unit (TPU), providing a converged experience across AI accelerators on Google Cloud. You can use the Compute Engine instance API and managed instance group (MIG) API to create and manage TPU VMs. You can perform standard VM configurations such as using a custom OS or configure boot disk size. Compute Engine APIs support the creation and management of TPU slices across all consumption options, enabling small-scale experimentation and large-scale training and inference workloads.
For more information, see TPU resources in Compute Engine.
The details page for a span can display the call hierarchy of a trace using a directed acyclic graph (DAG). One way to view a span's details is to open the Trace Explorer page and select the span. The DAG view is also available for some integrations. For example, if you view an Application Monitoring dashboard and explore the trace data it displays, the flyout supports the DAG option.
For more information, see the following:
Generally available: Compute Engine supports the Google's custom-developed accelerator Tensor Processing Unit (TPU), providing a converged experience across AI accelerators on Google Cloud. You can use the Compute Engine instance API and managed instance group (MIG) API to create and manage TPU VMs. You can perform standard VM configurations such as using a custom OS or configure boot disk size. Compute Engine APIs support the creation and management of TPU slices across all consumption options, enabling small-scale experimentation and large-scale training and inference workloads.
For more information, see TPU resources in Compute Engine.
Generally available: In a managed instance group (MIG), obtain the requested number of virtual machine (VM) instances all at once by using bulk mode of the target size policy. Using bulk mode helps you avoid partial VM provisioning in a MIG. Bulk mode is particularly beneficial for batch workloads, such as high performance computing (HPC) or distributed training, that require full capacity before they can start. For more information, see About bulk mode.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
Added dev-libs/mpdecimal and dev-python/gentoo-common.
Updated app-containers/runc from v1.2.8 to v1.2.9
Updated dev-lang/python to v3.11.15.
Added support for NVIDIA driver v580.159.04.
Upgraded app-shells/dash to v0.5.13.4.
Fixed EFI variable OOB read in grub config parsing.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Allow overriding IMA policy from oem partition.
On cchost boards, autoload IMA policy on boot.
Set static UUID for the stateful partition.
Added support for NVIDIA driver v580.159.04.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
Updated Python to v3.8.20.
Updated app-containers/runc from v1.2.8 to v1.2.9
Added support for NVIDIA driver v580.159.04.
Fixed EFI variable OOB read in grub config parsing.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.90 | v27.5.1 | v2.2.3 | See List |
Runtime sysctl changes:
Added support for NVIDIA driver v580.159.04.
The Filestore remote Model Context Protocol (MCP) server is generally available (GA). The Filestore remote MCP server lets you create and manage Filestore instances from LLMs, AI applications, and AI-enabled development platforms.
Support for searching for and managing your Firestore resources using Knowledge Catalog, which is a platform for storing, managing, and accessing your metadata. To learn more, see View Knowledge Catalog insights.
Support for searching for and managing your Firestore resources using Knowledge Catalog, which is a platform for storing, managing, and accessing your metadata. To learn more, see View Knowledge Catalog insights.
Gemini Enterprise: Agent Designer migration to Gemini 3.5 Flash
Agent Designer agents in the US and Global regions that previously migrated from Gemini 2.5 Flash and Gemini 2.5 Pro to Gemini 3.1 Pro have been migrated to Gemini 3.5 Flash. This migration is automatic and requires no action.
To use a different model, edit your agent's settings using either conversational chat or the flow builder.
Gemini Enterprise: Create and edit documents and slides in Canvas
Canvas is a dedicated, interactive tool within the Gemini Enterprise web app. It allows you to create and edit AI-generated documents and presentations directly from your chats. You can then export these to Google Workspace, Microsoft Office formats, and PDF.
A Gemini Enterprise administrator must turn on the feature so that users can use it in the Gemini Enterprise app. For more information about feature controls, see Manage features on the web app.
For more information, see Create and edit documents and slides in Canvas.
Gemini 2.0 Flash and Gemini 2.0 Flash-Lite are discontinued
Gemini 2.0 Flash and 2.0 Flash-Lite are discontinued and are no longer available. This includes both model serving and Provisioned Throughput. Use Gemini 3.1 Flash-Lite, Gemma 4, or more recent Gemini releases.
All 3-year (36-month) post-paid ve2 committed use discounts (CUDs) for Google Cloud VMware Engine purchased after May 31, 2026, will terminate on October 15, 2028. 3-year CUD pricing will apply, regardless of the actual term of the CUD. Additionally, 3-year pre-paid CUDs are no longer available; only 1-year pre-paid CUDs are available.
The Manage access to preview features feature has been rolled back.
New SAP certification for operating system: RHEL 10.0 for SAP
For use with SAP HANA and SAP NetWeaver on Google Cloud, SAP has certified the operating system Red Hat Enterprise Linux (RHEL) 10.0 for SAP.
For more information about SAP-certified operating systems, see:
General Availability: Composite Health for Private Service Connect, formerly known as Private Service Connect health, lets service producers define health criteria for published services, enabling automatic cross-region failover for consumers that access the service by using Private Service Connect backends.
reCAPTCHA Mobile SDK v18.9.1 is available for Android. This version fixes an issue that caused package name collisions when building projects using Android Gradle Plugin version 9.0 or higher.
]]>Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD_AUDIT_EVENTS)AIX_SYSTEM)APACHE)ARUBA_EDGECONNECT_SDWAN)AVAYA_AURA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)GUARDDUTY)AWS_SECURITY_HUB)AZURE_AD)AZURE_AD_CONTEXT)AZURE_AD_SIGNIN)AZURE_SQL)AZURE_STORAGE_AUDIT)BARRACUDA_WAF)BLUECOAT_WEBPROXY)CHROME_MANAGEMENT)CISCO_ACS)CISCO_ISE)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CITRIX_NETSCALER)CLAROTY_XDOME)CLAUDE_COMPLIANCE_LOGS)CLOUDFLARE)CLOUDFLARE_WARP)CORELIGHT)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)DUO_ADMIN)EFFICIENTIP_DDI)ELASTIC_AUDITBEAT)ELASTIC_WINLOGBEAT)F5_ASM)FORCEPOINT_WEBPROXY)FORTINET_FIREWALL)GITHUB)GCP_CLOUD_ASSET_INVENTORY)GCP_CLOUDAUDIT)GCP_COMPUTE_CONTEXT)GTI_IOC)GTB_DLP)CLEARPASS)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_WAF)IMPERVA_CEF)IMPERVA_DRA)IMPERVA_SECURESPHERE)ISLAND_BROWSER)JUNIPER_FIREWALL)JUNIPER_MIST)KUBERNETES_NODE)LASTPASS)AUDITD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_MAIL)IIS)MOBILEIRON)MONGO_DB)MYSQL)NETAPP_STORAGEGRID)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)GCP_NGFW_ENTERPRISE)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA_SCALEFT)ORACLE_DB)OCI_AUDIT)ORCA)PROOFPOINT_ON_DEMAND)RADWARE_FIREWALL)REDHAT_DIRECTORY_SERVER)REDHAT_OPENSHIFT)SALESFORCE)SANGFOR_NGAF)GCP_SECURITYCENTER_ERROR)GCP_SECURITYCENTER_MISCONFIGURATION)GCP_SECURITYCENTER_OBSERVATION)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)GCP_SECURITYCENTER_UNSPECIFIED)GCP_SECURITYCENTER_VULNERABILITY)SENTINELONE_CF)SERVICENOW_SECURITY)SOURCEFIRE_IDS)SURICATA_EVE)SEP)SYSDIG)TRENDMICRO_DEEP_SECURITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)UBIQUITI_SWITCH)NIX_SYSTEM)UPWIND)VMWARE_ESX)VMWARE_VSPHERE)WINDOWS_DNS)WINEVTLOG)WIZ_IO)WORKDAY_USER_ACTIVITY)WORKSPACE_ACTIVITY)ZSCALER_WEBPROXY)ZSCALER_CASB)ZSCALER_DLP)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AZURE_SOFTWARE_VULNERABILITIES)CALLER_VERIFY)CERTSECURE_LOG)CISCO_MULTICLOUD_DEFENSE_FIREWALL)CURSOR)CYFIRMA_DECYFIR_LOG)DATABAHN)FLARE_DARKWEB_ALERTS)FORTINET_FORTIAPPSEC)HIKVISION_NVR)IBM_B2B_INTEGRATOR)IBM_VDP)IMPERVA_ATO)IMPERVA_CSP)IMPERVA_DNS)IMPERVA_NETWORK_SECURITY)MICROSOFT_DEFENDER_XDR)NAKIVO_BACKUP)NETCRAFT_TAKEDOWN)NXL_AMPLIFY)SIEMENS_DESIGO)Google SecOps has updated the list of supported default parsers. Parsers are updated gradually, so it might take one to four days before you see the changes reflected in your region.
The following supported default parsers have been updated. Each parser is listed by product name and log_type value, where applicable. This list includes both released default parsers and pending parser updates.
ONEPASSWORD_AUDIT_EVENTS)AIX_SYSTEM)APACHE)ARUBA_EDGECONNECT_SDWAN)AVAYA_AURA)AWS_CLOUDFRONT)AWS_CLOUDTRAIL)GUARDDUTY)AWS_SECURITY_HUB)AZURE_AD)AZURE_AD_CONTEXT)AZURE_AD_SIGNIN)AZURE_SQL)AZURE_STORAGE_AUDIT)BARRACUDA_WAF)BLUECOAT_WEBPROXY)CHROME_MANAGEMENT)CISCO_ACS)CISCO_ISE)CISCO_SECURE_ACCESS)CISCO_SECURE_WORKLOAD)CISCO_SWITCH)CISCO_UMBRELLA_AUDIT)CITRIX_NETSCALER)CLAROTY_XDOME)CLAUDE_COMPLIANCE_LOGS)CLOUDFLARE)CLOUDFLARE_WARP)CORELIGHT)CS_ALERTS)CS_EDR)CYBERARK)CYBERARK_PAM)DUO_ADMIN)EFFICIENTIP_DDI)ELASTIC_AUDITBEAT)ELASTIC_WINLOGBEAT)F5_ASM)FORCEPOINT_WEBPROXY)FORTINET_FIREWALL)GITHUB)GCP_CLOUD_ASSET_INVENTORY)GCP_CLOUDAUDIT)GCP_COMPUTE_CONTEXT)GTI_IOC)GTB_DLP)CLEARPASS)IBM_WEBSPHERE_APP_SERVER)IBM_ZOS)IMPERVA_WAF)IMPERVA_CEF)IMPERVA_DRA)IMPERVA_SECURESPHERE)ISLAND_BROWSER)JUNIPER_FIREWALL)JUNIPER_MIST)KUBERNETES_NODE)LASTPASS)AUDITD)AZURE_ACTIVITY)MICROSOFT_DEFENDER_MAIL)IIS)MOBILEIRON)MONGO_DB)MYSQL)NETAPP_STORAGEGRID)NETSKOPE_ALERT_V2)NETSKOPE_WEBPROXY)GCP_NGFW_ENTERPRISE)OFFICE_365)OFFICE_365_MESSAGETRACE)OKTA_SCALEFT)ORACLE_DB)OCI_AUDIT)ORCA)PROOFPOINT_ON_DEMAND)RADWARE_FIREWALL)REDHAT_DIRECTORY_SERVER)REDHAT_OPENSHIFT)SALESFORCE)SANGFOR_NGAF)GCP_SECURITYCENTER_ERROR)GCP_SECURITYCENTER_MISCONFIGURATION)GCP_SECURITYCENTER_OBSERVATION)GCP_SECURITYCENTER_POSTURE_VIOLATION)GCP_SECURITYCENTER_THREAT)GCP_SECURITYCENTER_TOXIC_COMBINATION)GCP_SECURITYCENTER_UNSPECIFIED)GCP_SECURITYCENTER_VULNERABILITY)SENTINELONE_CF)SERVICENOW_SECURITY)SOURCEFIRE_IDS)SURICATA_EVE)SEP)SYSDIG)TRENDMICRO_DEEP_SECURITY)TRENDMICRO_VISION_ONE_OBSERVERD_ATTACK_TECHNIQUES)UBIQUITI_SWITCH)NIX_SYSTEM)UPWIND)VMWARE_ESX)VMWARE_VSPHERE)WINDOWS_DNS)WINEVTLOG)WIZ_IO)WORKDAY_USER_ACTIVITY)WORKSPACE_ACTIVITY)ZSCALER_WEBPROXY)ZSCALER_CASB)ZSCALER_DLP)ZSCALER_ZPA)The following log types were added without a default parser. Each parser is listed by product name and log_type value, where applicable.
AZURE_SOFTWARE_VULNERABILITIES)CALLER_VERIFY)CERTSECURE_LOG)CISCO_MULTICLOUD_DEFENSE_FIREWALL)CURSOR)CYFIRMA_DECYFIR_LOG)DATABAHN)FLARE_DARKWEB_ALERTS)FORTINET_FORTIAPPSEC)HIKVISION_NVR)IBM_B2B_INTEGRATOR)IBM_VDP)IMPERVA_ATO)IMPERVA_CSP)IMPERVA_DNS)IMPERVA_NETWORK_SECURITY)MICROSOFT_DEFENDER_XDR)NAKIVO_BACKUP)NETCRAFT_TAKEDOWN)NXL_AMPLIFY)SIEMENS_DESIGO)Release 6.3.87 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>On May 30, 2026 we released an updated version of the Apigee hybrid software, v1.15.4.
Various security and CVE fixes are included in this release.
Release 6.3.86 is now available for all regions.
]]>On May 29, 2026, we released an updated version of the Apigee UI.
Apigee EventFlow now supports the DataCapture policy
You can now use the DataCapture policy within an EventFlow to extract and persist data from server-sent events (SSE) streams, such as token counts and other fields from streaming LLM responses. For more information, see Use the DataCapture policy to capture token counts.
Manage Spaces in the Apigee UI
You can now create, view, update, and delete spaces, and manage their Identity and Access Management (IAM) policies directly in the Apigee UI. Previously, these actions could only be performed using the Apigee API. For more information, see Apigee Spaces overview.
The preconfigured base images include Antigravity CLI.
The base VM was upgraded to use Container-Optimized OS 129 LTS.
The JetBrains RubyMine preconfigured base image
uses a custom gem directory (/usr/local/share/gems/ruby/3.1.0).
Various bug fixes and minor product enhancements.
In GKE version 1.35 and later, workloads that use Workload Identity to authenticate to Google Cloud APIs might experience transient connectivity timeouts or refused connections to the GKE metadata server immediately following node startup. For recommendations and workarounds, see Timeout errors at Pod startup.
GKE Gateway now supports backend authenticated TLS for Gateway-originated connections to Pods or InferencePools for the following GatewayClasses:
gke-l7-global-external-managedgke-l7-regional-external-managedgke-l7-rilbThe Data Lineage API includes the searchLineageStreaming method that performs a breadth-first search (upstream or downstream) to retrieve lineage links for an asset identified by its Fully Qualified Name (FQN).
For more information, see the Data Lineage API reference for REST.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine):
Added support for selecting specific Confidential Computing technologies (AMD SEV, AMD SEV-SNP, Intel TDX) when creating clusters using the new --confidential-compute-type flag in gcloud and the confidentialInstanceType field in the API. The boolean --enable-confidential-compute flag is now deprecated but will continue to function, defaulting to AMD SEV for backward compatibility.
confidentialInstanceType enum in the API.--enable-confidential-compute flag and enableConfidentialCompute field are deprecated in favor of the new type-specific flag/field.SEV.SEV, SEV-SNP, and TDX.You can now view the Google Cloud Backup and DR Service protection summary at the organization and folder levels. To learn more about protection summary, see Find unprotected resources using protection summary.
As part of Bigtable Enterprise Plus edition, you can configure a retention period of up to 365 days for backups. This feature is generally available (GA). For more information, see Bigtable backups overview.
You can view the available regional endpoints for the Cloud Logging API on the REST reference pages. For an example, see Method: projects.locations.buckets.list.
As of August 26, 2026, in buckets with hierarchical namespace enabled,
the Object Lifecycle Management Delete action will
delete empty folders when the empty folder meets all of the conditions in the
lifecycle rule.
You can view the available regional endpoints for the Observability API and for the Telemetry API on their REST reference pages. For more information, see API overview.
You can view the available regional endpoints for the Error Reporting API on the REST reference pages. For an example, see Method: projects.events.list.
Gemini Enterprise: Release of Core Assistant (General Availability) and new Trace and Metrics information for Core Assistant (Preview)
This release includes Core Assistant, a Google-provided ("Made by Google") root agent that handles interactions when users talk to the Gemini Enterprise app without specifying any other agent.
Core Assistant is Generally Available.
Core Assistant includes new observability and monitoring functionality:
The Trace and Metrics tabs are in Public Preview.
For more information, see Observe and trace agent behavior with Core Assistant.
Agent Platform Gemini 3.1 Flash Image and Gemini 3 Pro Image
Gemini Enterprise Agent Platform Gemini 3.1 Flash Image and Gemini 3 Pro Image are Generally Available.
With this release, Gemini 3.1 Flash Image and Gemini 3 Pro Image support 4K image outputs in Preview.
Also supported in this release, Gemini 3.1 Flash Image supports video inputs in Preview. You can use video inputs to generate thumbnails or representative images of videos.
For more information, see the following:
Agent Platform Gemini 3.1 Flash Image Preview and Gemini 3 Pro Image Preview deprecation
Gemini Enterprise Agent Platform Gemini 3.1 Flash Image Preview and Gemini 3 Pro Image Preview are deprecated. We recommend that you update your model endpoints before July 17, 2026, to avoid service disruption.
The following are the discontinued endpoints and recommended endpoint migration:
| Discontinued endpoints | Recommended endpoint migration |
|---|---|
gemini-3.1-flash-image-preview |
gemini-3.1-flash-image |
gemini-3-pro-image-preview |
gemini-3-pro-image |
Anthropic's Claude Opus 4.8
Claude Opus 4.8 is available in Model Garden.
C4A bare metal instances are generally available with GKE clusters. For more information, see the Arm workloads on GKE document, including the "Requirements and limitations" section for specific version requirements.
Confidential GKE Nodes now support cluster level enablement of AMD SEV-SNP and Intel TDX on GKE Autopilot.
In GKE versions 1.36.0-gke.2459000 and later, you can directly configure Cloud Logging for L4 load balancer backend services by using the L4LBConfig CustomResourceDefinition (CRD).
This feature is available for the following load balancer types:
[Spotlight Feature] Unified and Upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. Further, we've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
The following features and resources are included in this update:
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
[Spotlight Feature] Manage access to preview features
Google Sec0ps tenant administrators can enable or disable access to public preview features. Previously, all public preview features needed to be enabled through official Support channels.
The new Public Preview Features page lists all the public preview features, the status of each feature (on or off)—along with (when available) the expected GA date and a link to a relevant user guide.
For more information, see Manage access to preview features.
Upgraded Chronicle API
We've upgraded the following Chronicle API resources from v1 beta to v1. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for all new integrations, for a more robust, secure, and extensible experience. Learn more about API Stability.
The following features and resources are included in this update:
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
Unified and Upgraded Chronicle API
Chronicle API has been unified with API resources from legacy SOAR API. This unification provides a more robust, secure, and extensible experience. This upgrade signals API stability and functional completeness, enabling customer and partner adoption for production usage. We recommend that customers and partners use Chronicle API for a more robust, secure, and extensible experience. Learn more about API Stability.
This update includes the following resources: Case, CaseAlert, CaseStageDefinition, CaseTagDefinition, CaseQueueFilter, CaseCloseDefinition, ContextProperty, InvolvedEntity, Task, CaseComment, CaseWallRecord, ChatMessage, View, VisualFamily, ChatMessages.attachment, ContentPack, SocRole, EmailTemplate, DynamicParameter, EntitiesBlocklist, Environment, EnvironmentGroup, Integration, Integrationaction, UserNotification, Integrationactionrevision, Connector, ConnectorInstance, RemoteAgent, Connectorlog, Connectorrevision, IntegrationInstance, UniqueEntity, Integrationsjob, JobInstance, JobInstances.log, Jobs.revision, Integrationmanager, Integrationmanagerrevision, AlertGroupingRule, Announcement, Attachment, CustomList, FormDynamicParameter, MarketplaceIntegration, ModuleSetting, SlaDefinition, NotificationSetting, PropertySchemaDefinition, RequestTemplate, SoarDomain, SoarNetwork, WorkdeskLink, SystemNotification, WorkdeskContact, WorkdeskNote, LegacySoarUsers.localization.
For a full list of updated resources and links to the documentation, please see the Chronicle API documentation.
To enhance security and address potential vulnerabilities (such as GHSA-3m6q-h5gj-7mrw), the Secure Source Manager Git-over-SSH server configuration has removed support for several legacy and insecure SSH algorithms.
SSH clients must support one or more of the following modern algorithms to connect:
curve25519-sha256, diffie-hellman-group14-sha256chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.comhmac-sha2-256-etm@openssh.com, hmac-sha2-256Users with old or non-standard SSH clients lacking support for these algorithms will be unable to connect using SSH for Git operations. Ensure your SSH client is up-to-date.
Risk Engine detects toxic combinations that are related to Managed Service for Apache Spark (formerly known as Dataproc), including Lightning Engine.
Risk reports are updated to include more content in the Risk Engine introduction and the System attack exposure pages. For more information about what's included in risk reports, see Risk reports overview.
]]>Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
Enable only needed legacy bundled services using the app_engine_bundled_services field for improved security and maintainability of your applications (Preview).
An updated version of the Simba ODBC driver for BigQuery is now available.
Generally available: Two C4A bare metal machine types are generally available:
c4a-standard-96-metal with 96Â vCPUs and 384Â GB of DDR5
memoryc4a-highmem-96-metal with 96Â vCPUs and 768Â GB DDR5
memoryThese two machine types support Hyperdisk Balanced, Hyperdisk Extreme, Hyperdisk Throughput, and Hyperdisk ML volume storage and up to 100Â Gbps of network bandwidth.
To learn more about the C4A machine family, read General-purpose machines. To see where you can create C4A bare metal instances, read Bare metal instances.
Layout parser image and table annotations is in General Availability (GA).
Layout parser can identify if there are images or tables in parsed documents. When found, images and tables are annotated as a descriptive block of text with the information depicted in the image and table.
Gemini Enterprise: Slack data store
The Slack data store is generally available (GA) in Gemini Enterprise.
You can connect a Slack Workspace to search and read conversations, files, and messages using natural language. You can also perform actions, such as sending and scheduling messages, directly from the Gemini Enterprise app chat box.
For more information, see Connect Slack.
User ID logging now included with agent logs when you opt in to "Enable logging of prompt inputs and response outputs"
Prompt input and response output logging now includes the
user.id field. This addition allows better tracking of
anomalous tool interactions.
For details on configuration, see Write traces for an agent.
Advanced reporting dashboards 4.22
We've released version 4.22 of the advanced reporting dashboards.
Added a Location filter to dashboards
The following dashboards now include a Location filter:
Queue Performance dashboard improvements
We've made the following improvements to the Queue Performance - Calls and Queue Performance - Chats dashboards:
Added the dashboards to the Advanced Reporting Landing Page.
Added a Support Phone Number filter.
Renamed the Total Inbound Handled tile (calls only) to Total Queue Answered.
Added a Total Failed tile.
In the Queue Summary table, removed the Total Inbound Calls Handled column and added the following columns: Total Queue Interactions, Total Queue Entries, Total Queue Answered, Total Failed, and Total Transfers.
For more information, see Queue Performance dashboards.
General dashboard updates
In the Performance Overview dashboard, we renamed the following tiles:
Queued Now to Current Queued Now
Max Queue Time to Current Max Queue Time
The Real-time Connected - Calls and Real-time Connected - Chats dashboards now include the following tiles:
Total Connected Calls (calls only)
Total Connected Chats (chats only)
Avg Current Sentiment Score
In the Queue Group Performance - All dashboard, we renamed the Lang filter to Language.
The following issues were addressed in this release:
Fixed an issue where the CSAT scores in the Performance Overview and CSAT dashboards didn't match.
Fixed an issue where the Queue Performance dashboard incorrectly totaled queue interactions, resulting in lower counts than expected.
Fixed an issue in the All Interactions - Chat dashboard where the Virtual Agents Chats table displayed the wrong chat.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue in the All Interactions - Chat dashboard where the
Failed Interaction column of the Chat Metric Detail table displayed
False for a failed interaction.
Fixed an issue where the Chat ID filter on the Queue Performance - Chats dashboard incorrectly displayed placeholder values.
Fixed an issue where scheduled exports of large queries were limited to 500 rows, causing reporting delays.
Fixed an issue in the Historical Data table of the Agent Activity dashboard where the Start Time and End Time columns indicated incorrect durations for agents belonging to multiple teams.
Fixed an issue where short abandoned calls and chats were incorrectly included in the Abandons dashboard, causing inaccurate reporting of queue abandon times.
Fixed an issue where dashboard windows didn't fully display their contents.
We've reduced the processing and delivery delay for Google Cloud Marketplace partner reports from 2 days (D+2) to 1 day (D+1), accelerating by one day the delivery of the Customer Insights reports to Cloud Marketplace partners.
For information about processing times, see Customer Insights report frequency
Google Distributed Cloud (software only) for VMware 1.34.500-gke.108 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.34.500-gke.108 runs on Kubernetes v1.34.7-gke.200.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.34.500-gke.108:
stackdriver.disableVsphereResourceMetrics to true in the cluster configuration file, user cluster installations or upgrades stalled indefinitely because the installer erroneously deleted the vsphere-ca-certificate ConfigMap, causing vsphere-csi-controller pods to fail with mount errors. You no longer need to manually recreate the ConfigMap or scale down the vsphere-metrics-exporter deployment as a workaround. gkectl diagnose command failed to run on standard user clusters managed by an advanced admin cluster.Google Distributed Cloud (software only) for bare metal 1.34.500-gke.108 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.34.500-gke.108 runs on Kubernetes v1.34.7-gke.200.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.34.500-gke.108:
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.30.14-gke.2558000 | cos-117-18613-613-5 | cos-117-18613-613-5 release notes |
| 1.31.14-gke.1967000 | cos-117-18613-613-7 | cos-117-18613-613-7 release notes |
| 1.33.12-gke.1059000 | cos-121-18867-381-125 | cos-121-18867-381-125 release notes |
| 1.35.5-gke.1057000 | cos-125-19216-395-7 | cos-125-19216-395-7 release notes |
| 1.36.0-gke.2459000 | cos-129-19506-120-64 | cos-129-19506-120-64 release notes |
Standard parser support policy
Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through Important UDM Fields. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community.
For more information, see Standard parser support policy.
New Cloud Identity integration
Standard parser support policy
Google SecOps introduced a focused support policy for Standard parsers to scale platform stability, predictable performance, and high-quality data normalization. The new policy structures service level objectives (SLOs) and request triaging by customer support tiers (Standard versus Expert/Expert+), and prioritizes core security data through Important UDM Fields. Additionally, the policy outlines a community-driven model where low-usage, longtail prebuilt parsers migrate to a dedicated GitHub repository maintained by partners and the Google SecOps community.
For more information, see Standard parser support policy.
You can use the data lineage remote MCP server to interact with Knowledge Catalog (formerly Dataplex Universal Catalog) to query data lineage graphs, discover upstream data provenance, and analyze downstream impact.
This feature is available in preview. For more information, see Use the data lineage remote MCP server.
The following features will begin rolling out as part of Looker 26.8.
The Looker Continuous Integration (CI) feature is now generally available.
Conversational Analytics now supports the ability to run queries when users are in Development Mode.
Now available in preview for BigQuery and Snowflake connections, Looker integrates with in-database analytic models (BigQuery Graph and Snowflake semantic views), so that you can keep your semantic definitions consistent across Looker and other BI tools, applications, or workloads that interface with your data warehouse.
See the In-database analytic models documentation page for more information.
Note: This item was added on May 28, 2026.
Now available in preview, dashboard editors can change the size and layout of dashboard tiles with more granularity. To enable this feature, a Looker admin must turn on the Granular Dashboard Sizing setting on the Preview page in the Admin panel.
Now available in preview, enhanced observability metrics, including engagement and token usage data, are available for Conversational Analytics on the Conversational Analytics System Activity dashboard. To use this feature, a Looker admin must turn on the Conversational Analytics Observability setting on the Preview admin page. Note: Token usage monitoring for Conversational Analytics is not available at this time. This item was updated on June 1, 2026.
Now available in preview, you can use natural language to instruct a Conversational Analytics data agent to create a workflow that notifies you when your data has met certain conditions. To use this feature, a Looker admin must turn on the Agentic Workflows setting on the Gemini in Looker admin page.
Now available in preview, the Looker-managed Model Context Protocol (MCP) server allows AI agents to securely connect to your Looker instance without requiring separate middleware. Looker admins can enable this feature and manage which AI tools are available to developers from the new Model Context Protocol (MCP) page in the Admin panel. Usage of the managed MCP server is also tracked within System Activity Explores and Cloud Audit Logs.
Model localization for imported projects will be supported in a future release.
Note: This item was updated on May 28, 2026.
Now available in preview, you can publish the Conversational Analytics data agents that you create in Looker to Gemini Enterprise. All users who have the save_agents permission will be granted the publish_agent_externally permission. To use this feature, a Looker admin must turn on the Publish to Gemini Enterprise setting on the Gemini in Looker admin page.
Now available in preview, you can create and use Conversational Analytics data agents on Looker user-defined dashboards. Conversational Analytics uses the Production Mode of content when it queries Looker dashboards. To use this feature, a Looker admin must turn on the Enable Dashboard Agents setting on the Gemini in Looker admin page.
Looker has introduced the following new feature updates for tabbed dashboards:
The Self-service Explores feature is now supported on Snowflake connections. Your Looker admin can select a Snowflake connection in the Default Connection field of the Self-service Explores admin page. On Snowflake connections, you can upload comma-separated files (CSV) and Excel files (XLS and XLSX) to create a self-service Explore.
Looker has introduced a security sandboxing enhancement for Git command-line interface (CLI) operations. For Looker projects that are configured with SSH connections, this enhancement restricts which directories and executables can be accessed on the instance when Git worktree commands are executed. Looker projects that use HTTPS connections are not affected.
This sandboxing feature is enabled automatically for Cloud-hosted Looker (original) and Looker (Google Cloud core) instances starting in Looker 26.8.
For customer-hosted Looker instances, this security enhancement is available starting in Looker 26.10. To opt in to security sandboxing, you must install the proot package on your Looker host machine. If proot isn't installed, SSH-connected Git operations will still be executed successfully but won't have the sandboxing protection.
Note: This item was updated on May 29, 2026.
The Admin > Roles panel user interface has been updated.
Looker admins can no longer create or manage API credentials for individual standard users in Looker (original) instances. Users must now manage their own keys from their Account page. Admins can enable or disable self-service API key management for users and continue to manage credentials for API-only service accounts. To improve security, API keys are no longer visible to admins while they are sudoing as another user.
Managed Service for Apache Airflow now supports Google Cloud tags for environments.
Tags provide a way to create annotations for resources, and conditionally allow or deny policies based on whether a resource has a specific tag.
In Managed Airflow (Gen 3), it is now possible to
create Kubernetes Secrets with the kubernetes.io/dockerconfigjson
secret type
through the beta Cloud Composer API, in addition to the default
Opaque secret type. For more information, see Manage Kubernetes Secrets.
(Airflow 3) The INFO log level filter in Airflow UI now correctly displays log messages with this logging level.
New Airflow builds are available in Managed Airflow (Gen 3):
New images are available in Managed Airflow (Gen 2):
The following Managed Airflow versions and builds have reached their end of support period: composer-3-airflow-2.9.3-build.24, composer-2.13.2-airflow-2.9.3, composer-2.13.2-airflow-2.10.5.
For Exadata Database Service on Exascale infrastructure, Base Database Service, and Goldengate, Oracle Database@Google Cloud adds the following regions and zones:
australia-southeast2-a-r2 (Melbourne, Australia)europe-west8-b-r1 and europe-west8-a-r1 (Milan, Italy)For a list of supported locations, see Supported regions and zones.
Secure Source Manager enforces a daily rate quota on the size of code scanned for credentials per instance. The default quota limit is 1 GB per day per instance. For more information, see Quotas and limits.
Spanner Graph supports a suite of graph algorithms covering use cases such as fraud detection, entity resolution, and recommendations. You can invoke graph algorithms as built-in function calls in Spanner Graph queries. You can save your output to Cloud Storage or Spanner. This feature is available in Preview.
Agent Search: Table and image annotation in layout parser
The table annotation and image annotation features of the layout parser are generally available (GA).
You can ask the layout parser to annotate images or tables with a descriptive block of text describing the information in the image or table. The annotation can then be used as a source in a generated answer. For more information, see Layout parser.
]]>The Data Science Agent (DSA) for Colab Enterprise and BigQuery is now generally available (GA).
For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map, providing more granular control over caching. You can now apply specific caching logic based on hostnames, URL paths, HTTP headers, and query parameters. This feature is Generally Available.
For more information, see Cache policies in URL maps.
For global external Application Load Balancers, you can configure Cloud CDN cache policies at various levels of a URL map. This provides granular control over caching policies based on criteria like hostname, URL path, HTTP headers, and query parameters. This feature is in General availability.
For more information, see Configure a Cloud CDN cache policy.
Frontend configuration for load balancing incoming IPv6 traffic is now supported for the following load balancers:
This feature is in Preview.
For more information, see the following documentation:
Cloud Trace in Observability Analytics is generally available (GA). Observability Analytics lets you query and analyze your trace data by using SQL. You can chart your query results, save your queries, and join your trace and log data.
For more information, see the following documents:
The Observability API is generally available (GA). This API lets you configure the following:
For more information, see the following documents:
Trace scopes are generally available (GA). For more information, see Create and manage trace scopes.
The following remote MCP servers automatically generate a trace span for
tools/call operations. These spans can help you understand the behavior of
your agentic applications. For more information, see
Investigate MCP calls using Trace.
Data Science Agent
Generally available: Use the Data Science Agent to automate exploratory data analysis, perform machine learning tasks, and deliver insights from within a Colab Enterprise notebook. To get started, see Use the Data Science Agent.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Added support for the swiotlb=any kernel command line parameter.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded net-misc/openssh to v10.0_p2.
Fixed a crash that occurs when using the configfile or
source GRUB2 commands when Secure Boot is enabled.
Fixed a race condition triggered by ext4 online resize that rarely causes machines to fail to boot.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-31419 in the Linux kernel.
Fixed CVE-2026-31430 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43074 in the Linux kernel.
Fixed CVE-2026-43088 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed EFI variable OOB read in grub config parsing.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-32289,CVE-2026-32282,CVE-2026-32288,CVE-2026-27142,CVE-2025-61728,CVE-2026-27139,CVE-2026-39817,CVE-2026-39819,CVE-2025-68119,CVE-2025-61732,CVE-2026-32280,CVE-2026-25679,CVE-2026-27144,CVE-2026-32283,CVE-2026-27140,CVE-2025-61731,CVE-2026-32281,CVE-2025-61726,CVE-2025-68121,CVE-2026-27143,CVE-2026-39826,CVE-2026-39823,CVE-2026-39825,CVE-2026-33814,CVE-2026-39820,CVE-2026-42499,CVE-2026-39836.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Added support for the swiotlb=any kernel command line parameter.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Upgrade app-admin/fluent-bit to v3.2.10
Updated sys-libs/pam to v1.5.3.
Upgraded net-misc/openssh to v10.0_p2.
Fixed a crash that occurs when using the configfile or
source GRUB2 commands when Secure Boot is enabled.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-31419 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43088 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-42499,CVE-2026-39820,CVE-2026-39826,CVE-2026-33814,CVE-2026-39836,CVE-2026-39823,CVE-2026-39825,CVE-2026-39817,CVE-2026-39819.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Update sys-process/audit to v3.0.9.
Upgrade app-admin/fluent-bit to v3.2.10
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded cos-gpu-installer to v2.7.2.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-23473 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43109 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-33814,CVE-2026-39823,CVE-2026-39826,CVE-2026-39817,CVE-2026-39819,CVE-2026-39820,CVE-2026-39836,CVE-2026-42499,CVE-2026-39825.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.31 | See List |
This update contains several package upgrades to the latest patch version to ensure security, along with package patches for known CVEs.
Update sys-process/audit to v3.0.9.
Updated glib to v2.86.5.
Updated sys-libs/pam to v1.5.3.
Upgraded app-containers/containerd from v1.7.29 to v1.7.31.
Fixed CVE-2026-23171 in the Linux kernel.
Fixed CVE-2026-23473 in the Linux kernel.
Fixed CVE-2026-31449 in the Linux kernel.
Fixed CVE-2026-31709 in the Linux kernel.
Fixed CVE-2026-43109 in the Linux kernel.
Fixed CVE-2026-44431 in dev-python/urllib3.
Fixed CVE-2026-6732 in dev-libs/libxml2.
Fixed KCTF-9e6bf14 in the Linux kernel.
Updated dev-lang/go to 1.25.10. This fixes CVE-2026-39817,CVE-2026-39825,CVE-2026-33814,CVE-2026-39819,CVE-2026-39826,CVE-2026-39823,CVE-2026-39820,CVE-2026-42499,CVE-2026-39836.
Updated net-misc/curl to v8.20. This fixes CVE-2026-5545,CVE-2026-4873,CVE-2026-6429,CVE-2026-7168,CVE-2026-6253,CVE-2026-6276,CVE-2026-7009,CVE-2026-5773.
Gemini Enterprise: Filter support for Google Sites data stores (Preview)
You can add Site URL prefix filters to Google Sites data stores in Gemini Enterprise to include or exclude specific sites from search results.
This feature is in Public Preview. For more information, see Add filters to a Google Sites data store.
Gemini Enterprise: Gemini Enterprise assist is deprecated
The Gemini Enterprise assist feature is deprecated and shut down. Users can now find comprehensive and relevant answers directly in the Gemini Enterprise documentation.
Gemini Enterprise: Data store for PagerDuty (Preview)
You can connect PagerDuty data stores to Gemini Enterprise.
Support for PagerDuty data stores is in Public Preview. For more information, see Connect PagerDuty.
Gemini Enterprise: Administrator control for Gemini 3.5 Flash
Gemini Enterprise administrators can use the feature management toggle to turn on or turn off Gemini 3.5 Flash, controlling its visibility in the Gemini Enterprise app chat box.
The feature management toggle for Gemini 3.5 Flash will not be available after June 8, 2026. Starting June 8, 2026, Gemini 3.5 Flash is enabled by default and cannot be turned off for users in the Gemini Enterprise app.
For more information about feature controls, see Manage features on the web app.
The Gemini Deep Research Agent released in Preview
The Gemini Deep Research Agent has been released in Preview. The Gemini Deep Research Agent is a managed AI agent that plans, executes, and synthesizes complex, multi-step research workflows across the public web and private enterprise data to generate comprehensive, cited reports.
For more information, see Use the Gemini Deep Research Agent.
Agent Platform Sandboxes
Additional Agent Platform sandbox features are now available:
Identify the agents with the most content security violations
The Security dashboard displays the top 10 agents with the most content violations detected by Model Armor. The list shows the agent ID of each agent and the number of violations detected for that agent. For more information, see Monitor content security.
Vertex AI Extensions deprecation
Vertex AI Extensions is deprecated and will be shut down after November 26, 2026. We recommend migrating to Agent Platform to avoid service disruption.
Google Cloud CCaaS 4.35
We've released version 4.35 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
This release addresses the following issues:
Fixed an issue where URLs copied from Microsoft Word into SMS chat sessions were incorrectly formatted, causing links to merge with adjacent text.
Fixed an issue with Alvaria campaigns where the dialer didn't correctly use the country code from the @COUNTRYCODE field when selecting the contact number to dial.
Fixed an issue where live transcription didn't resume after an agent enabled and then disabled redaction during IVR payment card collection.
Fixed an issue where agents couldn't upload PDF files in chat sessions.
Fixed an issue where end-users encountered errors or empty details when accessing call history immediately after a call ended.
Fixed an issue where agents became stuck in the In-call status and
couldn't end calls or change their status, preventing them from handling new
interactions.
Fixed an issue where the deletion of the default greeting message for a language didn't persist.
Fixed a web SDK issue where scheduling a call in one queue incorrectly showed the Reschedule Call screen from a different queue.
Fixed an issue that occurred when a human agent invoked the payment virtual task assistant to collect card details. When the call was transferred back to the human agent, live transcription and sentiment analysis didn't resume.
Fixed an issue where HubSpot ticket creation failed when Skip CRM Account Creation and Skip Account Lookup were enabled. This resulted in tickets being created without an associated phone number.
Fixed an issue where, after transferring a call from one queue to another, the receiving agent's desktop temporarily showed the source queue's agent desktop layout instead of the destination queue's layout.
Fixed an issue where outbound Telnyx calls got stuck on the agent adapter Connecting screen when Agent Voice Detection was enabled globally.
Fixed an issue where Alvaria Advanced Outreach outbound campaign batch files weren't ingested by Contact Center AI Platform, preventing campaigns from loading contacts.
Fixed an issue where a single inbound call in Salesforce created two cases.
Fixed an issue where the Agents dashboard showed an invalid -10 agent
status during wrap-up and after calls.
Fixed an issue where Alvaria WFM Agent Performance reports displayed no agent activity.
Fixed an issue where the NICE WFM exporter reported higher abandoned call counts than Contact Center AI Platform reporting.
Fixed an issue where chats escalated from a virtual agent to a human agent were dismissed shortly after assignment.
Fixed an issue where the Ticket URL column in the Individual Call History CSV report was blank for newly recorded calls, preventing customers from accessing and downloading call recordings from the report.
Fixed an issue where newly created teams couldn't be reordered in the CCAI Platform portal.
Fixed an issue where the agent desktop Previous Interactions panel didn't show Agent Assist summaries from past calls.
Fixed an issue where conversation history didn't display correctly in the agent adapter when a chat was escalated from a virtual agent to a human agent and then a large number of messages were sent by the end-user.
Cloud Storage FUSE CSI driver is now supported for Google Cloud Dedicated
clusters and node pools running GKE version 1.36.0-gke.1266000 and higher. To
use the driver, you must specify the custom-endpoint mount option by using
either the gcsfuse CLI
or the configuration
file format.
For more information, see About Cloud Storage FUSE CSI driver for
GKE.
To monitor the efficiency of the GKE training JobSet, the following two GKE system metrics are available in Preview:
kubernetes.io/jobset/scheduling_goodput: the fraction of time that all the
resources required to run the training JobSet are available.kubernetes.io/jobset/proxy_runtime_goodput: the fraction of time that all
required accelerators are productive. This metric provides an estimate of the
real runtime goodput.For details about GKE metrics, see Kubernetes metrics. For details about goodput metrics that are used to measure efficiency, see Monitor goodput with the ML Goodput Measurement library.
You can also view these new GKE metrics in the JobSet monitoring dashboard.
Data products in Knowledge Catalog is Generally Available (GA). A data product serves as a logical, curated package of data assets and context designed to solve a specific business problem.
This release includes the following new features:
Approval workflows for data product consumption: Data product consumers can browse published data products, submit access requests, and track their status. Data product owners can track, approve, or reject access requests using the Google Cloud Console or the API. For more information, see Use data products and Manage data products.
Automated documentation and insights: Data product owners can leverage Knowledge Catalog data insights and Gemini to automatically generate sample queries, business insights, and documentation templates for data products. For more information, see Create data products.
Service account support: Data product owners can configure service accounts in access groups, and data product consumers can request access for their service accounts. For more information, see Create data products.
Remote Model Context Protocol (MCP) server support (Preview) Data applications and AI agents can programmatically interact with data products. By deploying the Knowledge Catalog remote MCP server, developers can create data products, discover data products, and inspect data product metadata from external IDEs and LLM clients. For more information, see Access data products using Model Context Protocol.
[Spotlight Feature] Create and manage calculated fields
The Calculated Fields feature is now available in Preview. With Calculated Fields, you can dynamically derive new data points within Google Security Operations cases and alerts. By defining logical formulas, you can compute values based on existing system or custom fields. The calculated value is automatically evaluated and stored in a user-selected, pre-existing custom field (labeled Target Field) in real time.
For more information, see Create and manage calculated fields.
Time range selection for searches
Google SecOps has now added relative and absolute time range options to define the required time period for retrieving search results.
For more information, see Set the date and time range.
Create and manage calculated fields
The Calculated Fields feature is now available in Preview. With Calculated Fields, you can dynamically derive new data points within Google Security Operations cases and alerts. By defining logical formulas, you can compute values based on existing system or custom fields. The calculated value is automatically evaluated and stored in a user-selected, pre-existing custom field (labeled Target Field) in real time.
For more information, see Create and manage calculated fields.
Release 6.3.86 is being rolled out to the first phase of regions as listed here.
This release contains internal and customer bug fixes.
]]>Release 6.3.85 is now available for all regions.
]]>DNS Armor is generally available (GA).
DNS Armor is generally available (GA).
Apigee Emulator
On May 22, 2026, we released Apigee Emulator version 2.0.0.
Starting with this release, the Apigee Emulator is versioned and released independently from Apigee hybrid. This enables faster delivery of security patches and updates without waiting for hybrid release cycles. The emulator image continues to be available at Google Artifact Registry.
To use the new version, update the emulator version in your VS Code Cloud Code
settings to 2.0.0. See
Manage the Apigee Emulator
for details.
Apigee Emulator
Apigee Emulator
This release addresses 78 security vulnerabilities across Cassandra base image, Go standard library, Java dependencies, and Python packages. Key fixes include:
| CVE | Component |
|---|---|
| CVE-2022-42003 | Jackson Databind |
| CVE-2022-42004 | Jackson Databind |
| CVE-2022-38749 | SnakeYAML |
| CVE-2022-38750 | SnakeYAML |
| CVE-2023-2976 | Google Guava |
| CVE-2020-8908 | Google Guava |
| CVE-2024-12798 | Logback |
| CVE-2025-22866 | Go stdlib |
| CVE-2025-22870 | Go stdlib |
| CVE-2022-40897 | Python setuptools |
And 68 additional CVEs fixed through updated upstream dependencies.
On May 22, 2026 we released an updated version of the Apigee hybrid software, v1.14.5.
Various security and CVE fixes are included in this release.
On May 22, 2026 we released an updated version of the Apigee UI.
The Management > Instances page now displays Apigee hybrid instances. The display includes the instance name, location, and runtime version.
See Managing instances.
Starting May 22, 2026, the Apigee Emulator is versioned and released independently from Apigee hybrid. Emulator updates, including security patches, are no longer tied to hybrid release cycles.
The emulator image continues to be available at
gcr.io/apigee-release/hybrid/apigee-emulator. The first independent release
is v2.0.0.
For emulator release notes going forward, see Apigee release notes.
Database Migration Service for homogeneous SQL Server migrations now provides dedicated support for Cloud SQL for SQL Server sources. This feature is generally available (GA).
For Cloud SQL for SQL Server sources, Database Migration Service automatically exports all required backup files and uploads them to a dedicated Cloud Storage bucket. For more information, see the Migration guide for Cloud SQL for SQL Server sources in the Database Migration Service homogeneous SQL Server documentation.
Application Load Balancers now support the configuration of a
traffic duration
setting when you add backends to backend services. You can configure this
setting as SHORT or LONG based on the response time needed by backends to
complete HTTP requests.
Application Load Balancers also support the use of the in-flight balancing mode that lets you configure the load balancer's traffic distribution to supported backends when requests take more than a second to complete.
This feature is in General availability.
Database Center generative views are available in Preview. Generative views use Gemini and natural language prompts to let you generate and save customized dashboard views of your database fleet inventory and metrics.
For more information, see Generate dashboard views using Gemini.
Default Key Access Justifications policies are generally available. When you use Key Access Justifications with Cloud Key Management Service or Cloud HSM for the Assured Workloads Japan Data Boundary, you can create default Key Access Justifications policies at the organization, folder, or project level. For more information about default Key Access Justifications policies, see Set default Key Access Justifications policy.
]]>ChatGPT users are now able to list and use the AlloyDB toolset provided by the AlloyDB remote MCP server.
On May 21st, 2026, we released an updated version of Apigee (1-17-0-apigee-8).
| Bug ID | Description |
|---|---|
| 514973778 | Fixed Model Armor response parsing to gracefully handle unknown fields, so future Model Armor field additions no longer cause policy failures. |
On May 21, 2026 we released an updated version of the Apigee hybrid software, v1.16.4.
| Bug ID | Description |
|---|---|
| 515424331 | Fixed an issue with missing container images in the gcr.io/apigee-release/hybrid/ repository. |
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The App Engine Migration hub lets you migrate services in the App Engine standard environment to Cloud Run, and also provides cost-saving recommendations. For more information, see Deploy an App Engine app in the standard environment to Cloud Run (Preview).
The following resource types are publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, SearchAllResources, and SearchAllIamPolicies APIs.
apigee.googleapis.com/SecurityActionapigee.googleapis.com/SecurityMonitoringConditionapigee.googleapis.com/SecurityProfileV2cloudkms.googleapis.com/RetiredResourcehypercomputecluster.googleapis.com/ClusterZonal affinity, which was previously available in Preview, is generally available (GA).
For more information, see Zonal affinity for internal passthrough Network Load Balancers.
Config Controller now uses the following versions of its included products:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.77 | v27.5.1 | v2.2.3 | See List |
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.18.32 | v27.5.1 | v2.2.3 | See List |
Switch cchost-* boards to legacy iptables.
Added support for the R595 Nvidia driver production branch.
Added support for NVIDIA driver v535.309.01.
Apply hardening sysctls on cchost boards.
Added support for NVIDIA driver v580.159.03.
Dropped support for the NVIDIA 535 drivers.
Added support for NVIDIA driver v595.71.05.
Enabled mm hardening kernel cmdlines on cchost.
Upgraded app-shells/dash to v0.5.13.4.
Increased the size of the EFI partition from 32 MiB to 64 MiB and increased the sizes of both kernel partitions from 16 MiB to 32 MiB on x86.
Upgraded cos-gpu-installer to v2.7.1.
Made it so that /etc/machine-id is mounted with noexec, nosuid, and nodev.
Upgraded net-misc/rsync to v3.4.2.
Switch cchost-* boards to legacy iptables.
Fixed CVE-2025-38584 in the Linux kernel.
Updated the Linux kernel to v6.18.32.
Fixed CVE-2026-23473 in the Linux kernel.
Updated uhaul to v6.18-0.
Fixed CVE-2026-43060 in the Linux kernel.
Upgrade the Linux kernel to version 6.18.
Fixed CVE-2026-43063 in the Linux kernel.
Upgraded sys-apps/xemu to v0.0.9.
Fixed CVE-2026-43065 in the Linux kernel.
Upgraded sys-fs/cryptsetup to v2.8.6.
Fixed CVE-2026-43066 in the Linux kernel.
Upgraded sysram to v6.18-0.
Fixed CVE-2026-43067 in the Linux kernel.
Added the cos_kernel_args tool that allows manipulating kernel command line arguments of a COS image.
Fixed CVE-2026-43068 in the Linux kernel.
Added nvidia-fs support to the COS GPU installer.
Fixed CVE-2026-43071 in the Linux kernel.
Fixed CVE-2026-43073 in the Linux kernel.
Fixed CVE-2026-43079 in the Linux kernel.
Added support for NVIDIA driver v580.159.03.
Fixed CVE-2026-43085 in the Linux kernel.
Added support for NVIDIA driver v595.71.05.
Fixed CVE-2026-43086 in the Linux kernel.
Added support for NVIDIA drivers v580.126.16 and v580.126.20.
Fixed CVE-2026-43089 in the Linux kernel.
Dropped support for NVIDIA MFT Tools v4.32.0.
Fixed CVE-2026-43090 in the Linux kernel.
Upgraded CASFS to v0.1.3.
Fixed CVE-2026-43091 in the Linux kernel.
Upgraded app-admin/oslogin to v20260227.00.
Fixed CVE-2026-43093 in the Linux kernel.
Upgraded app-admin/oslogin to v20260430.00.
Fixed CVE-2026-43094 in the Linux kernel.
Upgraded app-admin/sosreport to v4.11.1.
Fixed CVE-2026-43099 in the Linux kernel.
Upgraded app-containers/docker-credential-helpers to v0.9.6.
Fixed CVE-2026-43107 in the Linux kernel.
Upgraded app-shells/dash to v0.5.13.3.
Fixed CVE-2026-43112 in the Linux kernel.
Upgraded app-shells/dash to v0.5.13.4.
Fixed CVE-2026-43114 in the Linux kernel.
Upgraded chromeos-base/chromeos-common-script to v0.0.1-r672.
Fixed CVE-2026-43117 in the Linux kernel.
Upgraded chromeos-base/debugd-client to v0.0.1-r2738.
Fixed CVE-2026-43329 in the Linux kernel.
Upgraded chromeos-base/google-breakpad to v2026.04.24.230834-r272.
Fixed CVE-2026-43332 in the Linux kernel.
Upgraded chromeos-base/google-breakpad to v2026.05.06.161957-r274.
Fixed CVE-2026-43333 in the Linux kernel.
Upgraded chromeos-base/power_manager-client to v0.0.1-r2973.
Fixed CVE-2026-43336 in the Linux kernel.
Upgraded chromeos-base/session_manager-client to v0.0.1-r2834.
Fixed CVE-2026-43338 in the Linux kernel.
Upgraded cos-gpu-installer to v2.7.1.
Fixed CVE-2026-43339 in the Linux kernel.
Upgraded dev-db/sqlite to v3.53.1.
Fixed CVE-2026-43341 in the Linux kernel.
Upgraded dev-libs/expat to v2.8.0.
Fixed CVE-2026-43350 in the Linux kernel.
Upgraded dev-libs/expat to v2.8.1.
Fixed CVE-2026-43359 in the Linux kernel.
Upgraded net-libs/libnetfilter_queue to v1.0.5-r1.
Fixed CVE-2026-43360 in the Linux kernel.
Upgraded net-misc/rsync to v3.4.2.
Fixed CVE-2026-43361 in the Linux kernel.
Upgraded sys-apps/makedumpfile to v1.7.9.
Fixed CVE-2026-43362 in the Linux kernel.
Upgraded sys-libs/libcap to v2.78.
Fixed CVE-2026-43363 in the Linux kernel.
Upgraded sys-process/lsof to v4.99.6.
Fixed CVE-2026-43365 in the Linux kernel.
Upgraded the dump capture kernel to Linux v6.18.
Fixed CVE-2026-43366 in the Linux kernel.
Fixed CVE-2026-0994 in dev-libs/protobuf.
Fixed CVE-2026-43374 in the Linux kernel.
Fixed CVE-2026-34743 in app-arch/xz-utils.
Fixed CVE-2026-43383 in the Linux kernel.
Fixed CVE-2026-35385 and CVE-2026-35386 in net-misc/openssh.
Fixed CVE-2026-43392 in the Linux kernel.
Fixed CVE-2026-35414 in net-misc/openssh.
Fixed CVE-2026-43393 in the Linux kernel.
Fixed CVE-2026-4046 in sys-libs/glibc.
Fixed CVE-2026-43394 in the Linux kernel.
Fixed CVE-2026-4437,CVE-2026-4438 in sys-libs/glibc.
Fixed CVE-2026-43403 in the Linux kernel.
Fixed EFI variable OOB read in grub config parsing.
Fixed CVE-2026-43409 in the Linux kernel.
Fixed argument injection in toolbox.
Fixed CVE-2026-43438 in the Linux kernel.
Updated go to v1.25.9. This resolves CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-27140, CVE-2026-27144.
Fixed CVE-2026-43439 in the Linux kernel.
Updated the Linux kernel to v6.18.31.
Fixed CVE-2026-43441 in the Linux kernel.
Upgraded containerd to v2.2.3. This fixes CVE-2026-35469.
Fixed CVE-2026-43448 in the Linux kernel.
Upgraded dev-libs/libgcrypt to v1.10.4 to fix CVE-2026-41989.
Fixed CVE-2026-43449 in the Linux kernel.
Upgraded dev-libs/openssl to v3.5.6 to fix CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31790.
Fixed CVE-2026-43450 in the Linux kernel.
Runtime sysctl changes:
Fixed CVE-2026-43451 in the Linux kernel.
Fixed CVE-2026-43452 in the Linux kernel.
Fixed CVE-2026-43453 in the Linux kernel.
Fixed CVE-2026-43466 in the Linux kernel.
Fixed CVE-2026-43469 in the Linux kernel.
Fixed CVE-2026-43470 in the Linux kernel.
Fixed CVE-2026-43472 in the Linux kernel.
Fixed CVE-2026-43475 in the Linux kernel.
Fixed CVE-2026-43482 in the Linux kernel.
Fixed CVE-2026-43486 in the Linux kernel.
Fixed CVE-2026-43487 in the Linux kernel.
Fixed CVE-2026-46333 in the Linux kernel.
Fixed argument injection in toolbox.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v27.5.1 | v2.0.8 | See List |
This is an LTS Refresh release.
Added support for NVIDIA driver v535.309.01.
Added support for NVIDIA driver v580.159.03.
Upgraded app-admin/google-guest-configs to v20251014.00.
Upgraded app-containers/docker-credential-helpers to v0.9.4.
Upgraded cos-gpu-installer to v2.7.1.
Upgraded net-libs/libnetfilter_conntrack to v1.1.1.
Upgraded net-libs/libtirpc to v1.3.7.
Upgraded net-nds/rpcbind to v1.2.8.
Upgraded sys-apps/acl to v2.3.2-r3.
Upgraded sys-apps/gentoo-functions to v1.7.4.
Upgraded sys-auth/pambase to v20251104.
Upgraded sys-libs/libcap to v2.77.
Upgraded sys-libs/libseccomp to v2.6.0-r3.
Fixed CVE-2026-43187 in the Linux kernel.
Fixed CVE-2026-46333 in the Linux kernel.
Fixed argument injection in toolbox.
Runtime sysctl changes:
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.12.85 | v27.5.1 | v2.1.7 | See List |
Switch cchost-* boards to legacy iptables.
Added support for NVIDIA driver v535.309.01.
Added support for NVIDIA driver v580.159.03.
Added support for NVIDIA driver v595.71.05.
Upgraded app-shells/dash to v0.5.13.4.
Upgraded cos-gpu-installer to v2.7.1.
Upgraded net-misc/rsync to v3.4.2.
Fixed CVE-2025-38584 in the Linux kernel.
Fixed CVE-2026-23473 in the Linux kernel.
Fixed CVE-2026-46333 in the Linux kernel.
Fixed argument injection in toolbox.
| Kernel | Docker | Containerd | GPU Drivers |
| COS-6.6.137 | v24.0.9 | v1.7.29 | See List |
Added support for NVIDIA driver v535.309.01.
Added support for NVIDIA driver v580.159.03.
Upgraded app-shells/dash to v0.5.13.4.
Upgraded cos-gpu-installer to v2.7.1.
Fixed CVE-2026-46333 in the Linux kernel.
Fixed argument injection in toolbox.
Google Distributed Cloud (software only) for VMware 1.35.100-gke.72 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud 1.35.100-gke.72 runs on Kubernetes v1.35.3-gke.400.
If you are using a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release.
After a release, it takes approximately 7 to 14 days for the version to become available for use with GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
The following issues were fixed in 1.35.100-gke.72:
gkectl diagnose on user clusters that are awaiting migration to advanced mode.Google Distributed Cloud (software only) for bare metal 1.35.100-gke.72 is now available for download. To upgrade, see Upgrade clusters. Google Distributed Cloud for bare metal 1.35.100-gke.72 runs on Kubernetes v1.35.3-gke.400.
After a release, it takes approximately 7 to 14 days for the version to become available for installations or upgrades with the GKE On-Prem API clients: the Google Cloud console, the gcloud CLI, and Terraform.
If you use a third-party storage vendor, check the Google Distributed Cloud-ready storage partners document to make sure the storage vendor has already passed the qualification for this release of Google Distributed Cloud for bare metal.
The following issues were fixed in 1.35.100-gke.72:
GKE cluster versions have been updated.
New versions available for upgrades and new clusters.
The following versions are now available for new GKE clusters, and for manual control plane upgrades and node upgrades for existing clusters. For more information about versioning and upgrades, see GKE versioning and support and About GKE cluster upgrades.
This release includes new GKE versions that use updated Container-Optimized OS images. These updated images are cumulative, incorporating security fixes from all Container-Optimized OS versions released since the previous GKE release.
To identify the specific vulnerabilities that were resolved in each updated Container-Optimized OS image, see the Security release notes for that image. The following table includes links to the release notes for each updated Container-Optimized OS image:
| GKE version | Container-Optimized OS version | Details |
|---|---|---|
| 1.36.0-gke.2253000 | cos-beta-129-19506-120-52 | cos-beta-129-19506-120-52 release notes |
Google Cloud's Agent for SAP version 3.14
Version 3.14 of Google Cloud's Agent for SAP is generally available (GA). This version introduces support for using a customer-managed encryption key (CMEK) to encrypt disks during disk snapshot based SAP HANA recovery, some logging and stability enhancements, and minor bug fixes.
For more information, see What's new with Google Cloud's Agent for SAP.
When deploying your Secure Web Proxy instance as next
hop, you can now configure the gateway
to listen on all ports (from 1 to 65535). By using this feature, your proxy
can automatically intercept and enforce security policies and rules to all
outbound traffic, removing the need to manage specific port lists.
This feature is supported in Preview.
The following Compliance Manager frameworks were updated:
The Security Command Center Enterprise service tier is deprecated. It will be shut down on May 21, 2027. By default, your organization will automatically move to the Premium service tier on that date.
Artifact guard is available in Preview to the Security Command Center Enterprise and Premium tiers. Artifact guard is a service that helps you prevent the deployment of vulnerable packages throughout the software development lifecycle.
Risk Engine detects toxic combinations that are related to Cloud Build resources.
]]>On May 20, 2026, we published a security bulletin for Apigee.
A vulnerability was found in Apigee
(CVE-2026-2264)
where the IntegrationRegion
parameter in the SetIntegrationRequest policy lacks validation,
allowing for Server-Side Request Forgery (SSRF) and service account token
exfiltration. The issue arises when an attacker can control a flow variable used
for IntegrationRegion, leading to requests being sent to an
attacker-controlled host with the service account token.
Security bulletin published: GCP-2026-034
BigQuery can re-execute instructions (queries) to try to proactively detect performance, correctness, or functional regressions.
These re-executions will have no side effects and will happen with no additional cost or resource consumption.
Data access logs may show bigquery-adminbot@system.gserviceaccount.com when BigQuery re-executes an instruction.
Python UDFs are now Generally Available (GA).
You can use Python UDFs to implement a scalar function in Python and use it in a SQL query. Python UDFs let you install third-party libraries from the Python Package Index (PyPI) and let you access external services using a Cloud resource connection.
You can now use the
AI.AGG function
to semantically aggregate unstructured input data based on natural language
instructions. This feature is in
Preview.
Managed Cloud Service Mesh using the TRAFFIC_DIRECTOR implementation in the
stable channel now supports a limited implementation of the EnvoyFilter API.
To learn about the supported fields, extensions, and how to use EnvoyFilter
for features like local rate limiting see
Data plane extensibility with EnvoyFilter.
To troubleshoot any issue while configuring, see Resolving data plane extensibility issues.
Cloud Service Mesh can now report a status code to indicate whether an Istio API is accepted or rejected. You can view the status code on the resource and mesh state. For more information see MembershipState Error Codes.
Confidential Space image 260500 is available. This image introduces support for Intel Trust Authority (ITA) as an independent attestation verifier service for your workloads. This lets you verify the identity, the hardware state, and the software state of the Confidential Space environment directly using Intel's attestation service.
NotebookLM Enterprise: The Podcast API is deprecated
The Podcast API is deprecated. Google isn't allowlisting new customers.
This feature was available as GA with allowlist.
Supervised fine-tuning available for Gemini 3.1 Flash Lite (Preview)
Supervised fine-tuning is now available for limited support for the
gemini-3.1-flash-lite model. During this period, model tuning for Gemini
3.1 Flash Lite is restricted to us-central1 and europe-west4 and tuned model
serving is restricted to the us and eu multi-region endpoints.
See About supervised fine-tuning for more information.
Set media resolution at a Part-level for data when using supervised fine-tuning
Supervised fine-tuning now supports Part-level mediaResolution declarations
for images, videos, and PDFs. Part-level media resolution declarations also
support the MEDIA_RESOLUTION_ULTRA_HIGH level.
See the following media type–specific pages for more information:
All 1-year committed use discounts (CUDs) for Google Cloud VMware Engine ve1 SKUs are now End-of-Sale across the europe-west2 (London, UK) region. You can continue to use ve1 nodes with on-demand pricing. This change doesn't affect existing CUDs. You can also use ve2 nodes, including ve2 CUDs.
AlienVault USM Appliance: Version 27.0
Protectwise: Version 6.0
Service Desk Plus: Version 9.0
Service Desk Plus V3: Version 9.0
ServiceNow: Version 66.0
Google Chronicle: Version 83.0
Tanium: Version 20.0
Version 20260511.00 of the guest agent
is now available for all supported operating systems. This is a rebuild of
version 20260423.01 announced in the
April 27, 2026 release notes.
It includes no additional changes and is released specifically to trigger a guest agent restart.
Between May 4, 2026, and May 11, 2026, the control plane accidentally sent an erroneous request to remove the core plugin. This caused the agent to stop functioning, which disrupted features that rely on it, such as SSH and Windows password resets. This package update automatically restarts the agent on instances where auto-update is enabled to resolve the issue.
Oracle Database@Google Cloud supports Oracle Cloud Infrastructure Goldengate. You can create Goldengate deployments and connections to replicate and transform data between systems.
This feature is Generally Available (GA).
Secret Manager and Parameter Manager integrate with the Agent Development Kit (ADK) to retrieve secrets and parameters securely at runtime. This integration prevents the exposure of sensitive credentials to the LLM context window or conversation history.
For more information, see the following resources:
]]>Improvements to backtest API and recall metrics are now available with engine version v004.011. This includes support for Performance Targeting by number of parties required above threshold and a simplified recall metric calculation.
On May 19, 2026 we released an updated version of the Apigee hybrid software, v1.16.3.
| Bug ID | Description |
|---|---|
| 512866352 | Fixed an issue where the apigee-redis pod entered a CrashLoopBackOff state when deployed with Vault-based secret injection due to a GLIBC version mismatch in the bundled /bin/sh and /bin/cat binaries. |
Custom environment variables for Guardrail pods (guardrails.envVars)
Starting in version v1.16.3, you can inject custom environment variables into Apigee hybrid Guardrail pods using the new guardrails.envVars property in overrides.yaml. This is most commonly used to set NO_PROXY (or no_proxy) so that Guardrail pods bypass a configured forward HTTP proxy when calling internal in-cluster endpoints such as the Kubernetes API server, which previously failed in restricted-network environments with a global httpProxy configured. The property is supported on Guardrail pods for the following components: apigee-datastore, apigee-env, apigee-ingress-manager, apigee-operator, apigee-org, apigee-redis, apigee-telemetry, and apigee-virtualhost.
Example:
guardrails:
envVars:
NO_PROXY: 'kubernetes.default.svc,172.20.0.1'
Certificate Manager (2nd gen) is available in Preview. Certificate Manager (2nd gen) offers a unified control plane to observe, manage, and automate certificates across your organization.
For more information, see Certificate Manager (2nd gen) overview.
Google tag gateway for advertisers lets website owners host and deploy Google tags through Google Cloud. You can use a global external Application Load Balancer to route measurement traffic on your website through your domain for improved measurement data accuracy. This provides more reliable data for advertising campaign optimization.
For more information, see Google tag gateway for advertisers.
Config Connector version 1.151.0 is now available.
New Alpha Resources (Direct Reconciler):
New Fields:
MemorystoreInstance
spec.automatedBackupConfig field.spec.crossInstanceReplicationConfig field.spec.maintenanceVersion field.status.observedState.availableMaintenanceVersions field.status.observedState.crossInstanceReplicationConfig field.status.observedState.effectiveMaintenanceVersion field.status.observedState.pscAttachmentDetails field.BigQueryDataTransferConfig
ContainerCluster
Gemini Enterprise: Data store for Crossbeam (Preview)
You can now connect Crossbeam data stores to Gemini Enterprise.
Support for Crossbeam data stores is in Public Preview. For more information, see Connect Crossbeam.
Gemini Enterprise: Use Gemini 3.5 Flash (GA)
Gemini 3.5 Flash is generally available (GA) in the Global, US, and EU regions with Gemini Enterprise. Users can select it in the model selector dropdown within the Gemini Enterprise app assistant and in Agent Designer.
As Gemini 3.5 Flash is the current GA Flash model, Gemini 2.5 Flash is removed from the model selector. Administrators can't toggle Gemini 3.5 Flash off.
For more information about feature controls, see Manage features on the web app.
NotebookLM Enterprise: Create slide decks and infographics
You can create slide decks and infographics using NotebookLM Enterprise. This feature is generally available (GA). For more information on the usage limits, see Usage limits.
Gemini 3.5 Flash is generally available (GA)
For details, see the model specifications page.
Manage agent revisions and traffic splitting
Agent revisions and traffic splitting are now available in public preview. You can create immutable revisions of deployed agents, and split traffic between the different active revisions. This enables canary deployments and safe testing of new agent versions. For more information, see Manage revisions and traffic.
Manage and discover agent skills with Skill Registry
Manage and discover agent skills with the Skill Registry, in public preview. This secure, private, and low-latency repository stores skills as self-contained packages, including instructions, code, and documentation, to enhance agent abilities.
For more information, see:
Managed Agents API on Agent Platform released in Preview
The Managed Agents API on Agent Platform has been released in Preview.
This feature allows you to build and scale autonomous agents, including those built from configuration using the Antigravity harness. These agents run in a fully managed and isolated sandbox environment, equipped with tools and skills, and can be interacted with via a dedicated API.
For more information, see the following:
AI Content Detection API available
AI Content Detection API is available in Preview. For details see AI Content Detection.
Provisioned Throughput for Gemini now supports latency SLA
Provisioned Throughput now provides a tokens per second latency SLA, covering generation speed from the first returned token to the last.
For more information, see the Gemini Enterprise Agent Platform Online Inference Service Level Agreement (SLA).
Memory Bank and Sessions support for multi-regional and global endpoints is in Preview. For more, see Supported locations for agents in Agent Platform.
Google Cloud CCaaS 4.30
We've released version 4.30 of Google Cloud CCaaS.
The timing of the update to your instance depends on the deployment schedule that you have chosen. For more information, see Deployment schedules.
Skip the IVR greeting message
You can now configure your instance to skip the IVR greeting message.
Administrators: A new Skip IVR Greeting option is available in the Settings > Languages & Messages > IVR-specific Messages section.
For more information, see Customize IVR-specific messages.
Headless web SDK: advanced call scheduling is turned on by default
The useAdvancedCallScheduling parameter in the headless SDK is now set to
true by default.
Queue status endpoint
The new queue status endpoint provides real-time data for leaf queues, including
estimated wait times, agent availability, callback slot capacity, hours of
operation, and holidays. This capability lets voice AI systems dynamically
decide whether to escalate a call to a live agent or offer scheduled callback
windows to the caller. You can access the queue status endpoint in the apps API:
GET /apps/api/v1/queues/status.
For more information, see The queue status endpoint.
For call transfers in HubSpot, the ticket owner is automatically updated
When a call is transferred from one agent to another with a HubSpot integration, HubSpot tickets now automatically update to reflect the new ticket owner. This provides an accurate record of ownership throughout the interaction lifecycle. No configuration is required.
This release addresses the following issues:
Fixed an issue where email messages in some queues displayed a blank white panel when opened.
Fixed an issue that occurred when a closed ticket ID was passed to HubSpot using the SDK. The ticket wasn't reopened, resulting in new tickets being created.
Fixed an issue where agents could paste images into the chat adapter even when the Allow agents to attach files setting was turned off.
Fixed an issue where the agent adapter displayed generic error messages
instead of call failure reasons such as Busy or No answer.
Fixed an issue where chat history wasn't deleted after a session ended, causing the agent desktop to become unstable for high-volume agents.
Fixed an issue where the NICE WFM ASCWS heartbeat timed out, causing agents to appear inactive and disrupting adherence reporting.
Fixed an issue where virtual agents unexpectedly disconnected during inbound IVR calls, causing the calls to escalate to a human agent.
Fixed an issue where customer utterances were missing from the Live Transcript when conversations were transferred from a Dialogflow CX agent to a human agent.
Fixed an issue where, when an agent searched for a queue during a chat
transfer, the queue appeared with No logged in agents when agents were
available.
Fixed an issue where launching a task virtual assistant during a chat caused the agent's screen to freeze.
Fixed an issue where call transcripts from CX Agent Studio agent conversations were added to CRM records as garbled and unreadable text, with repeated words and incorrect turn order.
Fixed an issue where the Wait Time custom field on Zendesk tickets displayed an incorrect value when using custom fields for Account and Record.
Fixed an issue where agents assigned a direct SMS-capable line didn't
receive visual notifications for incoming SMS chats in the agent adapter
while their status was set to Unavailable.
Fixed an issue where some chat transcripts couldn't be downloaded from the Completed Chats page.
Fixed an issue where customer calls were unexpectedly abandoned during payment transactions when DTMF inputs were provided.
Fixed an issue where agents heard repeated call notification sounds during active calls, even when no new call was assigned.
Fixed an issue where only English IVR queues appeared when configuring agent-specific deflection settings, even when other language queues were available.
Fixed an issue where email messages in queues displayed a blank white panel when opened.
Fixed an issue where chat transcript and metadata files were generated as empty files, causing API timeouts and blocking reporting pipelines.
Fixed an issue where chat sessions that ended due to end-user inactivity were marked as Disconnected by end user instead of Timeout: end user stopped responding.
Fixed an issue where agents couldn't receive more than 12 concurrent chats despite being configured for up to 30.
Fixed an issue where virtual agent calls were routed back to the original queue instead of being handled as expected.
Fixed an issue that occurred when a third party was added to a call. After all participants left the call, the call still appeared to be connected.
Fixed an issue where cascade conditions for agent queues didn't correctly enforce the minimum number of available UK agents before allowing calls to cascade from the US queue, resulting in calls being routed incorrectly.
Fixed an issue where bulk user import incorrectly limited the chat concurrency value to the global default, preventing valid per-agent settings from being uploaded.
Managed Service for Apache Spark (formerly Dataproc on Compute Engine):
The configuration for Spark shuffle partitions (spark.sql.shuffle.partitions) has changed from an integer to a string type.
This change impacts image versions 2.3.30 and later in version 2.3, and 2.2.82 and later in version 2.2.
spark.conf.set() with an integer literal.
spark.conf.set("spark.sql.shuffle.partitions", 100)spark.conf.set("spark.sql.shuffle.partitions", "100")spark-submit --conf spark.sql.shuffle.partitions=100), properties files, or Spark SQL commands (spark.sql("SET spark.sql.shuffle.partitions=100")) remains unaffected, as these methods naturally parse the input as strings.Oracle Database@Google Cloud lets you enable Autonomous Data Guard for local peer databases.
This feature is Generally Available (GA).
Vulnerability Assessment for Google Cloud supports scanning XFS and NTFS disk partition types.
The December 2023 release notes include a release note for the General Availability of Organization Policy Service custom constraints that provide more granular control over specific fields for some VPC resources.
This feature has been available in General Availability since December 19, 2023, but the release note was previously omitted.
For more information, see Manage VPC resources by using custom organization policies.
You can cancel pending deletion requests for VPC Network Peering connections that are in consensus mode. This feature is available in Preview. For more information, see Cancel a deletion request.
]]>