Docker 29.5.0 Release Notes: Security Patches & Bug Fixes

Docker 29.5.0 release notes landed on May 14, 2026. This maintenance release packs backend improvements and critical security fixes. It resolves CVE-2026-32288, a denial-of-service vulnerability that could crash the daemon. The update also adds private time namespaces by default on supported kernels. If you run Docker in production, this patch addresses multiple bugs in networking, volume mounts, and image filtering. The release ships with BuildKit v0.30.0, Go 1.26.3, and RootlessKit v3.0.0. Expect smoother operation for container orchestration and swarm management.

This maintenance release is recommended for all Docker users who value stability and security. The upgrade patches a high-severity CVE and fixes over a dozen bugs in networking, storage, and CLI formatting.

What Changed

Time Namespace Feature Flag: Added “time-namespaces” flag to disable private time namespaces.
BuildKit Update: Updated to v0.30.0 for improved build performance and security.
Go Runtime: Updated to 1.26.3 for security patches and performance gains.
RootlessKit: Updated to v3.0.0 for rootless container improvements.
CVE-2026-32288: Fixed a denial-of-service vulnerability when processing sparse tar archives.
Containerd Auth: Fixed auth token requests ignoring per-host TLS settings.
Image Filter: Fixed docker image ls --filter reference=... to match fully qualified names.
Swarm Autolock: Fixed orphaned state after leaving an autolock-enabled swarm.
Logging Errors: Fixed empty string appearing in daemon log instead of actual error message.
Disk Usage: Fixed incorrect SHARED SIZE and UNIQUE SIZE in docker system df -v.
CDI Support: Fixed support for CDI specifications requesting extra group IDs.
Volume Subpath Mounts: Fixed container creation failure with “not a directory” error.
Conntrack Deletion: Fixed conntrack entries incorrectly deleted for UDP containers on different IPs after restart.
Swarm VIP DNS: Fixed stale VIP DNS records for service network aliases during rolling updates.
UDP Proxy Drop: Fixed userland proxy silently dropping UDP datagrams after write to unavailable backend.
Rootless Networking: Properly supported --net=host and localhost registries in rootless mode.

Why It Matters

This is a maintenance release. No flashy new features appear. But the fixes matter. The CVE patch alone justifies the upgrade. Attackers could crash your daemon with a crafted image. That stops here.
Networking bugs hit production hard. UDP datagram drops and conntrack errors cause silent failures. Swarm DNS issues break service discovery. This release cleans those up.
Volume subpath mounts failing with a misleading error wasted developer time. That fix alone saves debugging hours.

Who Should Upgrade

This release is particularly relevant for DevOps teams running Docker in production environments, especially those using swarm mode, custom registries, or rootless containers. Security-conscious administrators will want to patch CVE-2026-32288 immediately. Developers building CI/CD pipelines with Docker will benefit from the BuildKit and Go runtime updates.

How to Upgrade

Check your current version: docker version (look for the Engine version).
Stop the Docker daemon: sudo systemctl stop docker.
Install the new binary: download the 29.5.0 package from the official Docker repository or build from source.
Start the daemon: sudo systemctl start docker.
Verify the upgrade: docker version should show version 29.5.0.
Run a quick smoke test: docker run hello-world to confirm everything works.

Usage Examples

Check container health status in ps output: Use docker ps --format '{{.HealthStatus}}' to display starting, healthy, or unhealthy for each container. This replaces manual inspection of health check logs.

Disable time namespaces: If your workload conflicts with private time namespaces, set the feature flag: dockerd --feature-flags="time-namespaces=false".

List images with canonical names: Run docker image ls --filter reference=docker.io/library/alpine to match fully qualified names, not just short forms.