Docker Releases
Docker Releases

Docker 29.2.1 Release Notes: No CVEs Listed, Still Patch Fast

Docker 29.2.1 Release Notes: No CVEs Listed, Still Patch Fast No CVEs listed. Patch anyway. I treat this release as an availability and segmentation risk fix. If you run encrypted overlay networks, 29.2.0 can break east-west traffic in a way that looks like a security incident and burns hours. Security impact and attack surface changes […]

Jack Pauley February 12, 2026 6 min read
Docker 29.2.1 release notes

Docker 29.2.1 Release Notes: No CVEs Listed, Still Patch Fast

No CVEs listed. Patch anyway.

I treat this release as an availability and segmentation risk fix. If you run encrypted overlay networks, 29.2.0 can break east-west traffic in a way that looks like a security incident and burns hours.

Security impact and attack surface changes

The advisory does not specify any CVE IDs for Docker 29.2.1. That does not make this low risk. A daemon panic gives an attacker a denial-of-service primitive if they can trigger the code path, and a broken encrypted overlay can push teams into unsafe “quick fixes” like dropping encryption or punching holes in firewall rules.

  • No CVEs called out in the release notes: Treat this as “no public CVE mapping,” not “no security impact.” Verify against Docker security announcements and your SBOM feed.
  • BuildKit bumped to v0.27.1 (supply chain surface): Any build system update changes your trust boundary. Pin and test your build pipeline, especially if you use buildx, remote builders, or cache imports.

If you do not upgrade and you hit the overlay regression, teams often disable encryption to restore traffic. That turns a reliability bug into a compliance failure.

Security-relevant fixes (treat as urgent)

This bit me once in a different stack. A “network regression” caused a flood of alerts that looked like lateral movement, then someone suggested “just run it unencrypted for tonight.” Do not do that.

  • Encrypted overlay networking regression fixed: Docker fixes encrypted overlay networks not passing traffic to containers on v28 and older Engines. The release notes list affected versions as v29.2.0 through v29.0.0, v28.2.2, v25.0.14, and v25.0.13. If you run mixed fleets, you sit in the blast radius.
  • Daemon panic fixes (DoS risk): Docker fixes a panic after failed daemon initialization and a potential panic on docker network prune. A crash loop can take a node out of service and strand workloads.
  • Concurrent operations race fixed: Docker fixes docker system df failing when it runs concurrently with docker system prune. This sounds boring until a cleanup job fails mid-incident and you lose visibility.

Breaking changes

🔔 Never Miss a Breaking Change

Get weekly release intelligence — breaking changes, security patches, and upgrade guides before they break your build.

✅ You're in! Check your inbox for confirmation.

The official notes do not list breaking changes for 29.2.1. I still assume you can break something if you rely on undocumented behavior.

So. Run a canary first.

Everything else in this patch

Docker also fixes duplicate container exit event handling to avoid repeated cleanup. You probably only notice this when your logs fill with weird lifecycle noise and your on-call starts guessing.

  • Container lifecycle cleanup correctness: Fixes duplicate exit handling to reduce repeated cleanup work and state churn.
  • Build system update: BuildKit v0.27.1 comes in with upstream fixes. The release notes do not spell out which ones matter to your environment.

Who should patch before your next standup

Patch today if you run encrypted overlays. Patch today if you run automation that hits prune.

  • Immediate: Any production host using encrypted overlay networks, especially mixed Engine versions. Also patch if you run scheduled docker network prune or have seen daemon crashes on startup.
  • Within 72 hours: CI builders that depend on BuildKit behavior, caching, or remote builders. The BuildKit bump changes your build surface area.
  • Next maintenance window: Single-node dev boxes that do not use overlays and do not run automated prune jobs. You can be less paranoid here.

Upgrade and verification (minimum compliance checklist)

Do not “just yum update” on a fleet. Prove impact, patch a canary, then roll.

  • Preflight: Identify encrypted overlays and affected nodes. Run docker network ls and docker network inspect <net>, then confirm which hosts run the vulnerable versions with docker version.
  • Upgrade: Use your package manager to install Docker Engine 29.2.1 from official repos, then restart the service via systemd. Keep your old package cached so you can roll back.
  • Verify: Confirm both Client and Server show 29.2.1. Then run a cross-node container-to-container test on the encrypted overlay. Watch logs with journalctl -u docker.service for fresh panics during startup and during a controlled docker network prune in staging.

Until we see a PoC, the real risk is operational: a crash loop or a “temporary” removal of network encryption under pressure.

Known issues

The official release notes do not list known issues for 29.2.1. I do not trust “none” as a guarantee. Anyway.

References

Official release notes live on GitHub. Review the upstream PRs and your vendor packaging channel before rollout.

  • Moby/Docker Engine v29.2.1: https://github.com/moby/moby/releases/tag/docker-v29.2.1

More Docker Articles

Release Guide Feb 4, 2026
Docker v29.2.0: NRI Support and Security Enhancements
Release Guide Jan 15, 2026
Docker v29.1.4: Critical Bug Fixes
Release Guide Dec 17, 2025
Docker v29.2.0-rc.1: Experimental NRI and gRPC Support
Release Guide Dec 2, 2025
Docker v29.1.1: Critical DNS Fix
View all Docker releases →