Skip to content
Docker Releases
Docker Releases

Docker 29.5.0 Release Notes: Security Fix & Rootless Overhaul

Docker v29.5.0 ships a critical security fix for CVE-2026-32288. The patch prevents denial-of-service attacks from malicious container images. This maintenance release also brings the new gvisor-tap-vsock default network driver for rootless mode and a private time namespace for containers. These docker 29.5.0 release notes detail backend improvements and bug fixes that directly affect your container […]

Jack Pauley May 25, 2026 6 min read
docker 29.5.0 release notes

Docker v29.5.0 ships a critical security fix for CVE-2026-32288. The patch prevents denial-of-service attacks from malicious container images. This maintenance release also brings the new gvisor-tap-vsock default network driver for rootless mode and a private time namespace for containers. These docker 29.5.0 release notes detail backend improvements and bug fixes that directly affect your container workflows.

This maintenance release is recommended for all Docker users. It addresses a high-severity security vulnerability, updates core dependencies like BuildKit and Go, and introduces several networking and rootless improvements. Upgrade to protect your daemon and gain better container isolation.

What Changed

  • Rootless network driver: gvisor-tap-vsock replaces slirp4netns as the default. slirp4netns is no longer installed via Docker packaging.
  • Private time namespace: Enabled by default on supported kernels for better container isolation. A new time-namespaces feature flag lets you disable it.
  • Local logging driver: Now supports custom attributes via label, label-regex, env, env-regex, and tag options.
  • Windows Unix socket: The daemon now listens on -H unix://... with optional group-based access control via --group.
  • Security fix (CVE-2026-32288): Stops unbounded memory allocation when processing sparse tar archives. See GHSA-x4jj-h2v8-hqqv.
  • Bug fixes: docker ps --format .HealthStatus, auth token fixes for per-host TLS, correct docker system df -v sizes, CDI group ID support, volume subpath mounts, and Raft snapshot corruption prevention in Swarm.
  • Networking fixes: Conntrack entries for UDP containers, stale VIP DNS records in Swarm, and userland proxy UDP datagram drops.
  • Dependency updates: BuildKit v0.30.0, Go 1.26.3, RootlessKit v3.0.0.
  • Deprecations: Several cli/command/image/build utilities removed.

Why It Matters

  • Patch CVE-2026-32288 immediately. Attackers can pull a crafted image and exhaust your daemon memory. Upgrade now to close this door.
  • Rootless users get a faster, more reliable network stack under gvisor-tap-vsock. No more slirp4netns dependency.
  • Private time namespaces harden container isolation. This matters for multi-tenant deployments.
  • Windows admins can finally secure Docker access via Unix sockets with group permissions.
  • Auth token fixes end the silent failure of custom CA or insecure-registry setups in containerd integration.
  • docker system df -v now reports correct shared/unique sizes. No more misleading numbers.
  • Swarm users avoid corruption when state grows large. Raft snapshot prevention keeps your cluster stable.
  • UDP proxy drops are fixed. Your network-dependent containers stay connected.

Who Should Upgrade

This release is particularly relevant for API developers building integrations and DevOps teams managing deployments. Rootless Docker users gain a better default network driver. Anyone running Docker in production needs the security patch. Windows admins should upgrade to use Unix socket support. Swarm operators benefit from Raft snapshot fixes. If you use custom registries or CDI devices, the auth and group ID fixes directly affect you.

How to Upgrade

  1. Back up your current Docker configuration and data volumes.
  2. Stop the Docker daemon: sudo systemctl stop docker.
  3. Update the Docker package using your package manager (e.g., sudo apt update && sudo apt upgrade docker-ce docker-ce-cli containerd.io).
  4. Start the daemon: sudo systemctl start docker.
  5. Verify the version: docker version --format '{{.Server.Version}}' should output 29.5.0.
  6. Check for any log warnings after restart.

Usage Examples

  • Rootless with new driver: After upgrade, rootless Docker automatically uses gvisor-tap-vsock. No action needed.
  • Health status in ps output: Run docker ps --format '{{.ID}}\t{{.Names}}\t{{.HealthStatus}}' to see container health directly.
  • Local logging with custom labels: Start a container with docker run --log-opt labels=env --label env=prod .... Log entries now include the env attribute.
  • Disable time namespaces: Pass --feature time-namespaces=disable to the daemon if you encounter compatibility issues.
  • Windows Unix socket: Start the daemon with dockerd -H unix:///var/run/docker.sock --group docker. Connect from WSL or native clients.

Known Issues

  • No known issues reported in official release notes. The team has not documented any regressions.

Feature Flow

Official Release Notes

View full release notes on GitHub β†’

πŸ› οΈ Try These Free Tools

🐳 Dockerfile Security Linter

Paste a Dockerfile for instant security and best-practice analysis.

πŸ“¦ Dependency EOL Scanner

Paste your dependency file to check for end-of-life packages.

πŸ—ΊοΈ Upgrade Path Planner

Plan your upgrade path with breaking change warnings and step-by-step guidance.

See all free tools β†’

Track These Releases

Go Releases

Stay Updated

Get the best releases delivered monthly. No spam, unsubscribe anytime.

By subscribing you agree to our Privacy Policy.

More Docker Articles

Release Guide May 21, 2026
docker v29.5.0: Security Fixes
How-To May 20, 2026
How to disable time namespaces in Docker Engine v29.5.0 β€” [docker] time-namespaces flag
Release Guide May 20, 2026
docker v29.5.0: Security Patches and Bug Fixes
Release Guide May 19, 2026
docker v29.5.0: Security Fixes & Bug Patches
View all Docker releases →