Docker 29.5.0 Release Notes: Security Fix, Rootless Driver

Docker v29.5.0 ships with a critical security fix, a new default rootless network driver, and a dozen quality-of-life improvements. The docker 29.5.0 release notes reveal 14 bug fixes, several packaging updates, and one CVE patch. Pulling a malicious image could crash your daemon before this release. Not anymore. This maintenance drop also introduces time-namespaces by default and a long-awaited Windows Unix socket. Teams running rootless containers should pay close attention to the new gvisor-tap-vsock driver.

This maintenance release is recommended for all Docker users, especially rootless and swarm operators. The upgrade patches a high-severity denial-of-service vulnerability and fixes more than a dozen bugs that affect daily operations.

What Changed

• Rootless networking: gvisor-tap-vsock replaces slirp4netns as the default rootless network driver. Slirp4netns no longer ships with Docker packages.
• Time namespaces: Enabled by default on supported kernels. New feature flag --feature time-namespaces lets you disable it.
• Log driver: Local logging driver now supports custom attributes via --label, --label-regex, --env, --env-regex, and --tag.
• Windows Unix socket: Windows daemon can listen on a Unix socket (-H unix://...) with optional group access via --group.
• BuildKit: Updated to v0.30.0.
• Go runtime: Bumped to 1.26.3.
• RootlessKit: Updated to v3.0.0.

Bug Fixes

• CVE-2026-32288: Fixed a denial of service in sparse tar archive processing.
• containerd auth: Fixed auth token requests ignoring per-host TLS settings.
• docker ps: New .HealthStatus placeholder in --format.
• docker image ls --filter reference=...: Now matches fully qualified names like docker.io/library/alpine.
• Swarm autolock: Fixed orphaned state after leaving encrypted swarm.
• Logging errors: Fixed empty error strings in daemon logs.
• docker system df -v: Fixed SHARED SIZE and UNIQUE SIZE reporting.
• CDI: Fixed support for device specifications that request extra group IDs.
• Volume subpath mounts: Fixed not a directory error when mounting over an existing file.
• Sort labels: Volume, network, config, and secret formatters now output deterministic order.
• Swarm Raft: Fixed snapshot corruption with large state.
• UDP conntrack: Fixed incorrect conntrack deletion for shared ports.
• VIP DNS: Fixed stale swarm service alias records during rolling updates.
• Userland proxy: Fixed silent UDP datagram drops due to stale ECONNREFUSED.
• Rootless: --net=host and localhost registries now work properly.

Deprecations

• docker build CLI: Removed deprecated constants and utilities: DefaultDockerfileName, DetectArchiveReader, IsArchive, ResolveAndValidateContextPath, WriteTempDockerfile.

Why It Matters

• Security: CVE-2026-32288 allowed a crafted image to consume unlimited memory. This prevented attackers from crashing your daemon with a single docker pull.
• Rootless usability: The new default driver delivers better performance and compatibility. No more manual slirp4netns installation.
• Time isolation: Time namespaces protect containers from host clock changes. This hardened time-sensitive workloads.
• Network reliability: UDP drops, stale DNS, and conntrack leaks are gone. Restarting one container no longer breaks another.
• Storage accounting: docker system df -v now reports accurate shared and unique sizes. You can trust the numbers for cleanup.

Who Should Upgrade

This release is particularly relevant for rootless Docker users who will benefit from the new gvisor-tap-vsock driver. Swarm operators running encrypted clusters should upgrade to avoid the autolock bug. Anyone using CDI devices, volume subpath mounts, or Windows with Unix sockets will find targeted fixes. All users should apply this release to close CVE-2026-32288.

How to Upgrade

1. Stop your Docker daemon: sudo systemctl stop docker
2. Install the new version via your package manager. For example, on Ubuntu/Debian: sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin
3. On Windows, download the installer from the official Docker Desktop release page and run it.
4. Start the daemon: sudo systemctl start docker
5. Verify the version: docker --version should show 29.5.0.
6. Check the rootless driver: if you run rootless, ensure the new gvisor-tap-vsock is active: docker info | grep -i rootless.

Usage Examples

• Health status in list: Run docker ps --format "table {{.Names}}\t{{.HealthStatus}}" to see which containers are healthy, starting, or unhealthy.
• Filter by canonical name: Use docker image ls --filter reference=docker.io/library/alpine to find images by their full registry path.
• Disk usage with correct sizes: Run docker system df -v. The SHARED SIZE and UNIQUE SIZE columns now count content blobs correctly.
• Custom log attributes: Start a container with docker run --log-driver=local --log-opt labels=foo --label foo=bar alpine echo hello to attach metadata to log lines.
• Windows Unix socket: Start the Docker daemon on Windows with dockerd -H unix:///var/run/docker.sock --group docker.
• Time namespaces off: If you need to disable time isolation, pass --feature time-namespaces=false to the daemon.

Known Issues

• No known issues reported in official notes.

Feature Flow

Official Release Notes

View full release notes on GitHub →

🛠️ Try These Free Tools

See all free tools →