FIND-20260329-011 · 2026-03-29 · Innovation Veille
Redpanda v25.3.11 — libxml2 CVE-2026-0990 fix + tiered storage + archive GC improvements
release
HIGH
Redpanda v25.3.11 released 2026-03-26 includes a security update: libxml2 upgraded to v2.15.2 addressing CVE-2026-0990. Bug fixes include shadow link replication, tiered-storage manifest misalignment, Kafka client ID name correction, and offset translator inconsistency. Performance: archive GC now processes in bounded batches (300 segments/run) instead of unbounded deletes. Transaction initialization optimized by eliminating unnecessary data copying.
Source
https://github.com/redpanda-data/redpanda/releases/tag/v25.3.11
ODS Impact
ODS uses Redpanda as the Zero-ETL event bus for all services. The libxml2 CVE fix is a security patch that should be deployed. The archive GC bounded batches fix prevents potential OOM on high-throughput topics (critical for ODS Data Platform under P1/P2 load). Already at v25.3.11 per last-versions.json — no upgrade needed.
Security Review
License: Business Source License 1.1 (BSL) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE
Tags
redpanda
kafka
release
cve
security
performance