VMware Tanzu Platform Security Updates Released — Critical Patches for Enterprise Cloud

In early February 2026, VMware (now part of Broadcom) issued a comprehensive wave of security advisories affecting multiple components of the Tanzu platform ecosystem. Between January 26 and February 1, administrators running Tanzu-based cloud-native infrastructure were advised to apply critical updates across buildpacks, stemcells, and platform services.

What is VMware Tanzu?

VMware Tanzu is Broadcom’s enterprise Kubernetes and cloud-native application platform, designed to help organizations build, run, and manage modern applications across multiple clouds and on-premises environments. The platform encompasses a broad ecosystem of tools including:

• Tanzu Platform for Cloud Foundry: Application runtime and services
• Tanzu Kubernetes Grid: Enterprise-ready Kubernetes distribution
• Tanzu Application Platform: Developer platform for building cloud-native apps
• Tanzu Data Services: Managed database and data services
• Tanzu Buildpacks: Cloud Native Buildpacks for application containerization

With Broadcom’s acquisition of VMware, Tanzu has become a cornerstone of the company’s enterprise software strategy, particularly for organizations embracing platform engineering and DevOps practices.

February 2026 Security Advisory Overview

According to the Canadian Centre for Cyber Security advisory AV26-075, VMware published security updates addressing vulnerabilities in the following Tanzu components:

Affected Components

Platform Services for VMware Tanzu Platform

• Affected versions: Prior to 10.3.4
• Update required: Upgrade to version 10.3.4 or later

Python Buildpack

• Affected versions: Prior to 1.8.71 and 1.8.75
• Update required: Apply patches for respective version lines

Ruby Buildpack

• Affected versions: Prior to 1.10.53
• Update required: Upgrade to version 1.10.53 or later

Service Publisher for VMware Tanzu Platform

• Affected versions: Prior to 10.3.4
• Update required: Upgrade to version 10.3.4 or later

Stemcells (Ubuntu Jammy FIPS)

• Affected versions: Prior to 1.1016.x
• Update required: Upgrade to version 1.1016.x or later

Stemcells (Ubuntu Noble)

• Affected versions: Prior to 1.188.x
• Update required: Upgrade to version 1.188.x or later

Stemcells (Windows)

• Affected versions: Prior to 2019.94.x
• Update required: Upgrade to version 2019.94.x or later

Tanzu Hub

• Affected versions: Prior to 10.3.4
• Update required: Upgrade to version 10.3.4 or later

Understanding the Components

What Are Buildpacks?

Buildpacks are a key component of cloud-native application deployment. They automatically detect application dependencies and package applications into container images without requiring developers to write Dockerfiles. The Python and Ruby buildpacks affected by these vulnerabilities are used extensively for deploying applications written in these popular programming languages across Tanzu environments.

What Are Stemcells?

Stemcells are versioned operating system images that BOSH (the deployment orchestration tool) uses to create virtual machines for Tanzu Platform components, Kubernetes nodes, and service instances. They provide:

• A hardened, consistent base operating system
• Security patches and updates
• Compatibility across cloud infrastructure providers
• FIPS 140-2 compliance options for regulated industries

The updates to Ubuntu Jammy FIPS, Ubuntu Noble, and Windows stemcells ensure that the underlying infrastructure remains secure and compliant with the latest security standards.

Platform Services and Tanzu Hub

Platform Services and Tanzu Hub represent core management capabilities within Tanzu Platform 10.3, which was released in August 2025. Tanzu Hub provides centralized visibility into applications, components, and security vulnerabilities across the entire platform estate.

Why These Updates Matter

1. Continued Enterprise Commitment

These security updates demonstrate Broadcom’s ongoing investment in maintaining and securing VMware’s Kubernetes and cloud-native infrastructure stack. Despite organizational changes following the acquisition, the Tanzu division continues to deliver regular security patches and feature enhancements.

2. Supply Chain Security

Vulnerabilities in buildpacks and stemcells represent supply chain security risks. Because these components are foundational to how applications are built and deployed, weaknesses here can affect every application running on the platform. Addressing these vulnerabilities helps organizations maintain a secure software supply chain.

3. Compliance and Governance

For enterprises operating in regulated industries (finance, healthcare, government), maintaining up-to-date FIPS-compliant stemcells is critical for certification and compliance requirements. The updates to Ubuntu Jammy FIPS stemcells ensure continued compliance with federal cryptographic standards.

4. Platform Engineering Focus

These updates reinforce VMware’s strategic focus on platform engineering and developer experience. By maintaining secure, well-supported buildpacks and platform services, Tanzu enables organizations to establish reliable “golden paths” to production while ensuring applications remain secure and resilient.

Immediate Actions for Administrators

1. Review Your Environment

Identify which Tanzu components you’re running:

bash

# Check installed stemcells
bosh stemcells

# List buildpacks
cf buildpacks

# Verify platform version
cf version

2. Download Updated Components

Access the Broadcom Support Portal to download patches:

• Navigate to: https://support.broadcom.com/web/ecx/security-advisory?segment=VT
• Filter for “Tanzu” products
• Download applicable updates for your environment

Note: As of March 2025, Tanzu product downloads require entitlement. Ensure you have proper access credentials.

3. Apply Stemcell Updates

Update stemcells across your BOSH deployments:

bash

# Upload new stemcell
bosh upload-stemcell <stemcell-tarball>

# Verify upload
bosh stemcells

# Update deployments to use new stemcell
bosh deploy <manifest> --recreate

4. Update Buildpacks

For Platform for Cloud Foundry environments:

bash

# Download updated buildpack
# Upload to Cloud Foundry
cf update-buildpack <buildpack-name> -p <buildpack-zip>

# Verify update
cf buildpacks

5. Restage Applications

After updating buildpacks, restage affected applications to incorporate security fixes:

bash

# Identify apps using affected buildpacks
cf apps

# Restage applications
cf restage <app-name>

6. Upgrade Platform Services

For Tanzu Platform components, follow the upgrade procedures in the official documentation:

• Tanzu Platform: https://techdocs.broadcom.com/vmware-tanzu
• Ensure compatibility across components during upgrades
• Test in non-production environments first

7. Verify Updates

Use Tanzu Vulnerability Insights (if available) to confirm vulnerabilities have been addressed:

• Access Tanzu Hub
• Navigate to Vulnerability Insights
• Search for specific CVEs
• Verify remediation status

Testing and Validation

Before rolling updates to production:

1. Stage in Development: Apply updates to development environments first
2. Run Integration Tests: Verify applications function correctly with new buildpacks/stemcells
3. Performance Testing: Ensure no performance degradation
4. Canary Deployments: Roll out to a subset of production workloads first
5. Monitor Closely: Watch for unexpected behavior or errors

Tanzu Platform 10.3 Enhancements

Expanded capabilities including:

• Enhanced fleet management for multi-foundation deployments
• Improved security visibility through Vulnerability Insights
• AI middleware for enterprise-ready AI applications
• Continued Cloud Foundry innovation with simplified developer experience

These developments underscore Broadcom’s long-term commitment to Tanzu as a comprehensive platform for modern application development, deployment, and management.

Conclusion

The February 2026 Tanzu security updates represent routine but critical maintenance for enterprise cloud-native infrastructure. By addressing vulnerabilities across buildpacks, stemcells, and platform services, VMware (Broadcom) demonstrates its continued commitment to securing the Tanzu ecosystem.

For organizations running Tanzu platforms, these updates should be prioritized and applied systematically. The affected components—particularly buildpacks and stemcells—are foundational to application security and platform integrity. Delaying updates increases exposure to potential vulnerabilities and complicates future upgrade paths.