Docker 29.5.0 Release Notes: Security Fixes & Bug Patches

Docker v29.5.0 shipped on May 14, 2026, packing a serious security patch and a long list of bug fixes. The docker 29.5.0 release notes highlight a CVE fix for a denial-of-service vulnerability in image pulls. This release also brings a new time-namespace feature, updated dependencies, and plenty of networking repairs. It is a must-read for anyone running containers in production.

This maintenance release is recommended for all Docker users. The upgrade fixes a critical denial-of-service vulnerability (CVE-2026-32288) and addresses over a dozen bugs in networking, storage, and CLI behavior. You should upgrade to protect your infrastructure and gain better container visibility.

What Changed

Private time namespaces: Enabled by default on supported kernels. New feature flag allows disabling.
Local logging driver: Now supports custom attributes (label, label-regex, env, env-regex, tag).
Windows Unix socket: Daemon can listen on a Unix socket, with optional group-based access control.
Security fix (CVE-2026-32288): Fixes unbounded memory allocation when pulling maliciously crafted images.
docker ps –format: Added .HealthStatus placeholder for container health state.
containerd auth: Fix for TLS settings (custom CAs, insecure-registries) being ignored.
Daemon reload: Now signals when reload fully completes.
Userland proxy data: Exposed in docker info.
Image filter fix: docker image ls –filter reference=… matches fully qualified names.
Swarm autolock: Fix for orphaned state after leaving encrypted swarm.
Logging errors: No longer appear as empty strings in daemon log.
docker system df -v: Corrects SHARED SIZE and UNIQUE SIZE by including shared content blobs.
CDI group IDs: Now properly supports additional group IDs.
Volume subpath mounts: Fix for file mounts over existing files failing.
Deterministic output: Labels sorted in volume, network, config, and secret formatters.
Swarm Raft snapshots: Prevent corruption on large state.
Networking: Fix conntrack entries for UDP, stale VIP DNS records, and silent UDP drops.
Rootless: Support –net=host and localhost registries.
Packaging: Updated BuildKit to v0.30.0, Go to 1.26.3, RootlessKit to v3.0.0.
Deprecations: Removed five deprecated build utilities (e.g., DefaultDockerfileName).

Why It Matters

Maintenance release: no specific features or changes documented in release notes

Who Should Upgrade

This release is particularly relevant for API developers building integrations and DevOps teams managing deployments. Anyone running Docker in production should upgrade immediately due to the CVE fix. The time-namespace changes affect all container workloads. Rootless users and Windows admins will find critical improvements.

How to Upgrade

Install the new Docker package: sudo apt-get update && sudo apt-get install docker-ce=5:29.5.0~3-0~ubuntu-focal (Debian/Ubuntu) or equivalent for your OS.
Restart the Docker daemon: sudo systemctl restart docker
Verify the new version: docker --version should show 29.5.0.
Check for any deprecation warnings in your CI/CD scripts (five build utilities removed).

Usage Examples

Health check at a glance: Run docker ps --format 'table {{.Names}} {{.HealthStatus}}' to see container health status.
Custom log attributes: Use --log-opt labels=env with the local logging driver to tag logs.
Disable time namespaces: Start the daemon with --feature-no-time-namespaces if you encounter compatibility issues.

Breaking Changes

Deprecated build utilities removed: DefaultDockerfileName, DetectArchiveReader, IsArchive, ResolveAndValidateContextPath, and WriteTempDockerfile are no longer available in cli/command/image/build. Update any scripts that reference these.
Private time namespaces enabled by default: Containers now have separate time namespaces on supported kernels. Use the feature flag to disable if needed.