Alpine Linux 3.22.0 Released with Docker 28 and LLVM 20

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The Alpine Linux project published the 3.22.0 release announcement on May 30, 2025, following the standard six-month release cycle. The release represents the culmination of development work from over 200 contributors, according to the project's commit log.

Key component updates in this release include:

LLVM advances to version 20, bringing compiler infrastructure improvements that affect the entire software stack built on Alpine. The LLVM project released version 20.1.0 with enhanced optimization passes and expanded target architecture support.

Docker Engine 28 arrives in Alpine 3.22.0, providing container runtime updates that align with upstream Docker development. The Docker 28 release includes improvements to build caching, networking, and security features.

Programming language toolchains receive substantial updates: Rust 1.87 (released May 15, 2025), Go 1.24, Ruby 3.4 (released December 25, 2024), and Node.js LTS 22.16. Crystal programming language updates to version 1.16.

The nginx web server advances to version 1.28, and Dovecot mail server reaches version 2.4. BIRD routing daemon updates to version 3.1 with migration documentation available for users upgrading from version 2.x.

The Alpine Linux team states that systemd-efistub now serves as the default EFI stub, replacing gummiboot. According to the release notes, users who have not modified the efistub_file setting in /etc/kernel-hooks.d/secureboot.conf require no action during upgrade. The project clarifies that this change uses only the stub component from systemd, not the full init system.

The release notes indicate that gummiboot-efistub has been moved to the testing repository. The Alpine wiki contains detailed migration documentation for users with custom secure boot configurations.

For systems with separate / and /usr filesystems, the release notes warn that special care is required during upgrade. The project documentation describes this configuration as unsupported and provides specific guidance in the wiki.

The upgrade process requires using the command apk upgrade --available when switching between major versions, according to official documentation.

Figure 2: How the authentication bypass vulnerability works

Container deployments benefit from the updated Docker 28 engine, which includes performance improvements and security enhancements. Organizations using Alpine as their container base image gain access to these improvements without changing their deployment workflows.

Development teams working with Rust, Go, Ruby, or Node.js receive current toolchain versions. The Rust 1.87 update brings the latest language features and compiler optimizations. Go 1.24 includes improvements to the garbage collector and standard library.

Desktop users on Alpine gain access to current versions of major desktop environments. GNOME 48 and KDE Plasma 6.3 provide updated user interfaces and application ecosystems.

Virtualization administrators benefit from Xen 4.20, which includes security improvements and hardware support updates. The BIRD 3.1 routing daemon update assists network operators managing complex routing configurations.

The systemd-efistub change simplifies the secure boot stack by using a more actively maintained component. Organizations concerned about supply chain security benefit from reduced dependency on unmaintained software.

The secure boot toolchain change requires attention from administrators with custom configurations. Systems using modified efistub_file settings need manual intervention during upgrade. The deprecation of gummiboot-efistub removes a previously supported option.

Organizations with separate / and /usr filesystem layouts face additional upgrade complexity. The Alpine project explicitly marks this configuration as unsupported, which may affect some specialized deployments.

The major version upgrade carries inherent risk for production systems. Package version changes across the entire repository may introduce compatibility issues with existing applications. Testing in staging environments remains advisable before production deployment.

Some users may encounter issues with packages that have not yet been updated for compatibility with new toolchain versions. The transition period following a major release typically involves community-reported issues and subsequent point releases.

Figure 3: Privilege escalation from user to SYSTEM level

Alpine Linux uses musl libc instead of the more common glibc, resulting in smaller binary sizes and reduced attack surface. The distribution employs BusyBox for core utilities, further minimizing the base system footprint. A typical Alpine container image measures approximately 5 MB, compared to hundreds of megabytes for traditional distribution images.

The apk package manager handles software installation and updates. The apk upgrade --available command ensures that packages are upgraded to versions from the target release, rather than simply updating within the current version constraints.

The secure boot implementation uses an EFI stub to load the Linux kernel directly from UEFI firmware. The systemd-efistub component provides this functionality without requiring the full systemd init system. The stub handles kernel loading, initramfs loading, and command line parameter passing.

Technical context for expert readers: The move from gummiboot to systemd-efistub reflects broader ecosystem consolidation. Gummiboot was originally a standalone project that was later absorbed into systemd. Alpine's approach extracts only the EFI stub component, maintaining the distribution's independence from systemd as an init system while benefiting from active upstream maintenance.

Alpine Linux's position as a preferred container base image means that updates propagate throughout the container ecosystem. Organizations using official Alpine-based images from Docker Hub and other registries will receive these updates as upstream maintainers rebuild their images.

The Docker 28 inclusion aligns Alpine with current container runtime capabilities. Container orchestration platforms like Kubernetes benefit from consistent runtime behavior across the ecosystem.

The programming language updates affect the broader software supply chain. Developers building applications on Alpine gain access to current language features and security fixes. CI/CD pipelines using Alpine-based build images incorporate these toolchain updates automatically.

The secure boot changes reflect ongoing evolution in Linux boot security. The consolidation around systemd-efistub may influence other distributions evaluating their secure boot implementations.

Confirmed:

• Alpine Linux 3.22.0 released on May 30, 2025
• Docker 28, LLVM 20, Rust 1.87, Go 1.24 included
• systemd-efistub replaces gummiboot as default EFI stub
• gummiboot-efistub moved to testing repository
• Over 200 contributors credited in release

Unclear or pending:

• Timeline for point releases addressing post-release issues
• Specific compatibility status for all third-party packages
• Performance benchmarks comparing 3.22.0 to previous releases

Monitor the Alpine Linux security mailing list for any post-release security advisories. Point releases (3.22.1, 3.22.2) typically follow within weeks to address issues discovered after the initial release.

Watch for updated container images from projects that use Alpine as their base. Popular images including nginx, Node.js, and Python official images will incorporate Alpine 3.22.0 according to their respective update schedules.

The Alpine wiki release notes page may receive updates with additional migration guidance as the community identifies edge cases. Administrators planning upgrades should check the wiki before proceeding.

Observe upstream projects for any Alpine-specific compatibility issues. The combination of musl libc and updated toolchains occasionally surfaces issues in software that makes glibc-specific assumptions.