Skip to content

Releases: moby/moby

v29.5.2

20 May 18:02
@vvoland vvoland
docker-v29.5.2
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
568f755
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.5.2 Latest
Latest

29.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • Fix docker cp failing with "mkdirat: file exists" when a container has a bind mount whose target traverses an in-container symlink (e.g. /var/run -> /run). moby/moby#52655
Assets 2
Loading
5 Join discussion

v29.5.1

18 May 17:10
@vvoland vvoland
docker-v29.5.1
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
dd24a3a
This commit was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.5.1

29.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release includes fixes for multiple security vulnerabilities affecting Docker Engine.

  • CVE-2026-41567 Fix a vulnerability in docker cp where archive decompression binaries (e.g. xz, unpigz) were resolved via PATH inside the container filesystem while running as host root, allowing a malicious container to execute arbitrary binaries with host root privileges.
    GHSA-x86f-5xw2-fm2r

  • CVE-2026-41568 Fix a TOCTOU vulnerability in docker cp that allowed a container process to create files or directories at arbitrary locations on the host filesystem.
    GHSA-vp62-88p7-qqf5

  • CVE-2026-42306 Fix a TOCTOU vulnerability in docker cp that allowed a container process to redirect a bind mount to an arbitrary location on the host filesystem.
    GHSA-rg2x-37c3-w2rh

Networking

  • Fix UDP conntrack entries not being deleted when not bound to a specific IP address. moby/moby#52640
Loading
0 Join discussion

v29.5.0

14 May 21:37
@vvoland vvoland
docker-v29.5.0
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
ff8d90a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.5.0

29.5.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Note

Rootless: gvisor-tap-vsock is now the new default rootless network driver and should be preferred over slirp4netns which is no longer installed via Docker packaging.

New

  • Rootless: Add new default gvisor-tap-vsock network driver. moby/moby#52319
  • Enable private time namespace for containers by default on supported kernels. moby/moby#52326
  • The local logging driver now has support for custom attributes, adding support for the label, label-regex, env, env-regex, and tag log options. moby/moby#52348
  • Windows: The daemon now supports listening on a Unix socket (-H unix://...), with optional group-based access control via --group. moby/moby#52365

Security

Bug fixes and enhancements

  • docker ps --format now supports a .HealthStatus placeholder to print container health state (starting, healthy, unhealthy) as a dedicated field. docker/cli#6913
  • Add "time-namespaces" feature flag to disable time-namespaces. moby/moby#52577
  • containerd integration: Fix auth token requests ignoring per-host TLS settings (custom CAs, insecure-registries). moby/moby#52600
  • Daemon reload events now signify that the daemon reload has fully completed. moby/moby#52589
  • Expose diagnostic data about userland proxy in docker info. moby/moby#52321
  • Fix docker image ls --filter reference=... (GET /images/json) to also match fully qualified canonical image names (e.g. docker.io/library/alpine), not only the familiar short form. moby/moby#52333
  • Fix a bug where leaving an autolock-enabled swarm could leave orphaned state, causing subsequent swarm init to fail with "Swarm is encrypted and needs to be unlocked". moby/moby#52479
  • Fix an issue where logging errors appeared as empty strings in the daemon log instead of the message that failed to write. moby/moby#52442
  • Fix incorrect SHARED SIZE and UNIQUE SIZE reporting in docker system df -v by including shared content blobs in size calculation. moby/moby#52482
  • Fix support for CDI specifications that request additional group IDs. moby/moby#52579
  • Fix volume subpath file mounts over an existing file in the image failing container creation with "not a directory". moby/moby#52584
  • Sort labels in volume, network, config, and secret formatters for deterministic output. docker/cli#6954
  • Swarm: Prevent corruption of Raft snapshots when swarm state is large. moby/moby#52441

Packaging updates

Networking

  • Fix conntrack entries being incorrectly deleted for UDP containers sharing the same port on different IPs when one container is restarted. moby/moby#52423
  • Fix stale VIP DNS records for swarm service network aliases not being removed during rolling updates. moby/moby#52236
  • Fix the userland proxy silently dropping UDP datagrams when a previous write to an unavailable backend left a stale ECONNREFUSED error on the socket. moby/moby#52483
  • Rootless: Properly support --net=host and localhost registries. moby/moby#47103

Rootless

Go SDK

  • cli/config/configfile: GetAuthConfig, GetCredentialsStore: normalize hostname when resolving auth. docker/cli#6846

Deprecations

  • cli/command/image/build: remove deprecated DefaultDockerfileName const. docker/cli#6737
  • cli/command/image/build: remove deprecated DetectArchiveReader util. docker/cli#6737
  • cli/command/image/build: remove deprecated IsArchive utility. docker/cli#6737
  • cli/command/image/build: remove deprecated ResolveAndValidateContextPath util. docker/cli#6737
  • cli/command/image/build: remove deprecated WriteTempDockerfile util. docker/cli#6737
Loading
1 Join discussion

v29.5.0-rc.1

11 May 20:07
@vvoland vvoland
docker-v29.5.0-rc.1
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
dac64f2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.5.0-rc.1 Pre-release
Pre-release

29.5.0-rc.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

New

  • Enable private time namespace for containers by default on supported kernels. moby/moby#52326
  • The local logging-driver now has support for custom attributes, adding support for the label, label-regex, env, env-regex, and tag log-options. moby/moby#52348
  • Windows: The daemon now supports listening on a Unix socket (-H unix://...), with optional group-based access control via --group. moby/moby#52365

Security

Bug fixes and enhancements

  • Add "time-namespaces" feature-flag to disable time-namespaces. moby/moby#52577
  • Daemon reload events now signify that the daemon reload has fully completed. moby/moby#52589
  • Expose diagnostic data about userland proxy in docker info. moby/moby#52321
  • Fix docker image ls --filter reference=... (GET /images/json) to also match fully qualified canonical image names (e.g. docker.io/library/alpine), not only the familiar short form. moby/moby#52333
  • Fix a bug where leaving an autolock-enabled swarm could leave orphaned state, causing subsequent swarm init to fail with "Swarm is encrypted and needs to be unlocked". moby/moby#52479
  • Fix an issue where logging errors logged to the daemon log show an empty string instead of the log message that failed to be logged. moby/moby#52442
  • Fix incorrect SHARED SIZE and UNIQUE SIZE reporting in docker system df -v by including shared content blobs in size calculation. moby/moby#52482
  • Fix volume subpath file mounts over an existing file in the image failing container creation with "not a directory". moby/moby#52584
  • Sort labels in volume, network, config, and secret formatters for deterministic output. docker/cli#6954
  • Swarm: Prevent corruption of Raft snapshots when swarm state is large. moby/moby#52441

Packaging updates

Networking

  • Fix conntrack entries being incorrectly deleted for UDP containers sharing the same port on different IPs when one container is restarted. moby/moby#52423
  • Fix the userland proxy silently dropping UDP datagrams when a previous write to an unavailable backend left a stale ECONNREFUSED error on the socket. moby/moby#52483
  • Rootless: Properly support --net=host and localhost registries. moby/moby#47103

Rootless

Go SDK

  • cli/config/configfile: GetAuthConfig, GetCredentialsStore: normalize hostname when resolving auth. docker/cli#6846

Deprecations

  • cli/command/image/build: remove deprecated DefaultDockerfileName const. docker/cli#6737
  • cli/command/image/build: remove deprecated DetectArchiveReader util. docker/cli#6737
  • cli/command/image/build: remove deprecated IsArchive utility. docker/cli#6737
  • cli/command/image/build: remove deprecated ResolveAndValidateContextPath util. docker/cli#6737
  • cli/command/image/build: remove deprecated WriteTempDockerfile util. docker/cli#6737
Loading
0 Join discussion

v29.4.3

06 May 17:48
@vvoland vvoland
docker-v29.4.3
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
56be731
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.4.3

29.4.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes

  • CVE-2026-31431: Fix the 29.4.2 regression that broke 32-bit programs and i386 images. The broad socketcall(2) seccomp deny is replaced with targeted AppArmor (deny network alg) and SELinux (alg_socket) rules that block AF_ALG at the LSM layer, covering both socket(2) and socketcall(2) paths without disrupting legitimate 32-bit workloads. moby/moby#52537

    On SELinux-based systems, the SELinux mitigation requires the daemon to be configured with selinux-enabled: true (via daemon.json or the --selinux-enabled CLI flag). This option is not enabled by default.

  • Fix the default AppArmor profile not being updated on daemon restart, requiring a system reboot to pick up profile changes from daemon upgrades. moby/moby#52537

Loading
0 Join discussion

v29.4.2

01 May 07:40
@vvoland vvoland
docker-v29.4.2
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
d329809
This commit was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.4.2

29.4.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Security

This release includes hardening for CVE-2026-31431.

  • Block AF_ALG sockets and the socketcall(2) multiplexer in the default seccomp profile to prevent in-container privilege escalation via the kernel crypto API ("Copy Fail"). moby/moby#52501

Known issues

The hardening can break 32-bit programs and i386 images, including SteamCMD and some Wine-based workloads. moby/moby#52506

Workaround

Warning

Don't use --security-opt seccomp=unconfined to work around this issue.
Don't use the seccomp/v0.2.0 profile.

If you need a workaround, use the seccomp/v0.2.1 profile from moby/profiles.
Make sure you use a kernel that includes the fix for CVE-2026-31431.

This profile unblocks socketcall while keeping AF_ALG blocked for socket.

Important

Use this workaround only for containers that require it.
Containers that use this profile can still exploit CVE-2026-31431 through the socketcall syscall.

Download the seccomp/v0.2.1 profile:

$ curl -fsSL https://raw.githubusercontent.com/moby/profiles/refs/tags/seccomp/v0.2.1/seccomp/default.json \
  -o /etc/docker/seccomp-profile-v0.2.1.json

Use one of these options. You don't need both.

  1. To use the profile for a specific container when you control the docker run command, use --security-opt:
$ docker run --security-opt seccomp=<path> ...
  1. To use the profile as the default for containers created by the daemon, add seccomp-profile to your daemon.json:
{
  "seccomp-profile": "/etc/docker/seccomp-profile-v0.2.1.json"
}
Loading
0 Join discussion

v29.4.1

20 Apr 16:45
@vvoland vvoland
docker-v29.4.1
6c91b92
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.4.1

29.4.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • containerd image store: Fix docker image prune --filter label!=key=value incorrectly skipping images that don't have the specified label. moby/moby#52338
  • Fix --log-opt "tag={{.ImageID}}" not stripping the digest's algorithm. moby/moby#52343
  • Fix intermittent container start failures (EBUSY on secrets/configs remount) on busy Swarm nodes by retrying the read-only remount. moby/moby#52235

Packaging updates

Networking

  • if a container has an IPv4-only or an IPv6-only endpoint with higher "gateway priority" than a dual stack endpoint, the single stack endpoint will now be used as the default gateway for its address family. moby/moby#52328
Loading

client/v0.4.1

20 Apr 14:49
@vvoland vvoland
client/v0.4.1
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
d120835
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
client/v0.4.1

Bug fixes

  • client: fix ImagePullResponse.Wait, ImagePushResponse.Wait not returning an error if pull/push errors happend during the pull operation. moby/moby#52305

Other

Loading

api/v1.54.2

20 Apr 14:33
@vvoland vvoland
api/v1.54.2
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
6cbde19
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
api/v1.54.2

Changelog

Full Changelog: api/v1.54.1...api/v1.54.2

Loading

v29.4.0

07 Apr 09:22
@vvoland vvoland
docker-v29.4.0
This tag was signed with the committer’s verified signature.
vvoland Paweł Gronowski
SSH Key Fingerprint: LKTmHx4jvso7E9Fey/uta56Sv+Ur5HZ29nos/f111XE
Verified
Learn about vigilant mode.
daa0cb7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v29.4.0

29.4.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

Bug fixes and enhancements

  • docker cp: report both content size and transferred size. docker/cli#6800
  • Fix docker stats --all still showing containers that were removed. docker/cli#6863
  • Fix a rare bug that could cause containers to become unremovable. moby/moby#51724
  • Fixed privileged containers losing their explicit AppArmor profile (--security-opt apparmor=<profile>) after a container restart. moby/moby#52215
  • Improved duplicate container-exit handling by using live containerd task state (not timestamps). moby/moby#52156
  • Improved image pull and push performance by enabling HTTP keep-alive for registry connections, avoiding redundant TCP and TLS handshakes. moby/moby#52198
  • shell completions: add shell completion for docker rm --link and exclude legacy links for container names. docker/cli#6872
  • shell completions: don't provide completions that were already used. docker/cli#6871
  • Update runc (in static binaries) to v1.3.5. moby/moby#52244
  • Windows: Fix DOCKER_TMPDIR not being respected. moby/moby#52181

Packaging updates

Networking

  • Prevent a daemon crash during startup after upgrading if a container config containers a malformed IP-address. moby/moby#52275

Go SDK

Deprecations

  • Go SDK: cli-plugins/hooks: deprecate HookMessage and rename to cli-plugins/hooks.Response. docker/cli#6859
  • Go SDK: cli-plugins/hooks: deprecate HookType and rename to cli-plugins/hooks.ResponseType. docker/cli#6859
  • Go SDK: cli-plugins/manager: deprecate HookPluginData and move to cli-plugins/hooks.Request. docker/cli#6859
Loading
0 Join discussion