Podman 6.0 Is Out — CNI, cgroups v1, and iptables Are Gone for Good

by Geth Author

Podman 6.0 shipped on June 24, 2026, and it arrives with the kind of breaking changes that require you to read the release notes before upgrading. The open-source container engine has cut a substantial list of legacy technologies in a single release — forcing a migration cost now in exchange for a cleaner, faster architecture going forward.

What's Gone

Podman 6.0 drops the following entirely:

  • CNI (Container Network Interface) — replaced by Netavark, which has been the recommended stack since Podman 4.0
  • cgroups v1 — users must now be on cgroups v2, which has been stable in the kernel since 2019
  • iptables — nftables is now the networking backend
  • slirp4netns — replaced by Pasta for rootless container networking
  • Windows 10 support
  • Intel Mac support

None of these removals are individually surprising — Netavark replaced CNI as the recommended option years ago, and the Linux kernel's cgroups v2 interface has been shipping in every major distro by default for several releases. But cutting all of them in a single major version makes 6.0 a hard line in the sand. If your infrastructure still depends on any of these, you stay on 5.x until you modernize.

What's New

On the additions side, Podman 6.0 extends the --gpus flag to support AMD GPUs alongside the existing NVIDIA support. Teams running workloads on AMD Radeon or Instinct hardware previously had to rely on workarounds or switch to alternative tooling. The flag now works consistently across GPU vendors.

Network isolation is enabled by default, meaning new containers no longer have open network access unless explicitly configured. This improves Docker API compatibility and reduces the attack surface for containers that don't need external network egress. New Podman Machine and Quadlet capabilities are also included — full details are in the official release notes on GitHub.

The Security Fix You Should Not Skip

Buried in the changelog is a patch for CVE-2026-57231: a vulnerability where a malicious container image using malformed Env entries could cause the host's environment variables to leak into a running container. The exploit supports glob operators, meaning an attacker could potentially extract large numbers of environment variables — including API keys, credentials, and secrets — without knowing their exact names upfront.

If you run Podman in any environment where untrusted images might be pulled and executed, this patch alone is reason enough to upgrade, regardless of your position on the other breaking changes.

The Philosophy Behind the Release

Podman's approach here reflects a deliberate choice: pay the migration cost once, cleanly, and move the entire ecosystem forward rather than carrying compatibility shims indefinitely. The technologies being removed are genuinely deprecated — not just unfashionable, but actively maintained as technical debt upstream. Keeping them in Podman required extra code paths, additional test surface, and constraints on new features.

For teams already running on modern Linux infrastructure — cgroups v2, Netavark, nftables — Podman 6.0 is a clean upgrade. For anyone still on older infrastructure, this release is the forcing function to catch up. The window for staying on legacy container networking while keeping current Podman is now closed.