Skip to content
Docker Releases
Docker Releases

Docker 29.5.0 Release Notes: Security Fixes & Bug Fixes

Docker 29.5.0 ships on May 14, 2026 with a security fix for a denial-of-service vulnerability (CVE-2026-32288) and several critical bug fixes. The official docker 29.5.0 release notes confirm this maintenance release patches a malicious image flaw that could crash the daemon. It also adds a new time-namespace feature flag, improves local logging, and fixes persistent […]

Jack Pauley May 21, 2026 6 min read
docker 29.5.0 release notes

Docker 29.5.0 ships on May 14, 2026 with a security fix for a denial-of-service vulnerability (CVE-2026-32288) and several critical bug fixes. The official docker 29.5.0 release notes confirm this maintenance release patches a malicious image flaw that could crash the daemon. It also adds a new time-namespace feature flag, improves local logging, and fixes persistent networking issues in UDP containers. If you run Docker in production, this release demands your attention.

This maintenance release is recommended for all Docker users. It fixes a high-severity CVE that could allow attackers to exhaust memory via crafted sparse tar archives. It also resolves seven networking bugs including a conntrack deletion error and a silent UDP datagram drop in the userland proxy. Upgrade now to close the security gap and stop unpredictable container restarts.

What Changed

  • New time-namespace feature flag: added “time-namespaces” flag to disable time-namespaces.
  • Updated dependencies: BuildKit updated to v0.30.0; Go runtime updated to 1.26.3; RootlessKit updated to v3.0.0.
  • CVE-2026-32288 fix: prevented denial of service from maliciously crafted images with sparse tar archives.
  • containerd integration fix: auth token requests now respect per-host TLS settings (custom CAs, insecure-registries).
  • docker image ls fix: –filter reference=… now matches fully qualified canonical names (e.g., docker.io/library/alpine).
  • Swarm fix: leaving an autolock-enabled swarm no longer leaves orphaned state.
  • Logging fix: daemon log no longer shows empty strings where error messages should appear.
  • docker system df fix: SHARED SIZE and UNIQUE SIZE now include shared content blobs in calculation.
  • CDI fix: specifications requesting additional group IDs now work.
  • Volume mount fix: subpath file mounts over an existing file no longer fail with “not a directory”.
  • Networking fixes: conntrack entries for UDP containers with same port on different IPs no longer deleted incorrectly; stale VIP DNS records for swarm service network aliases removed during rolling updates; userland proxy no longer drops UDP datagrams due to stale ECONNREFUSED errors; rootless –net=host and localhost registries now work.
  • Deprecations: removed deprecated DefaultDockerfileName, DetectArchiveReader, IsArchive, ResolveAndValidateContextPath, and WriteTempDockerfile utilities.

Why It Matters

  • This is a security release. CVE-2026-32288 could let an attacker crash your Docker daemon with a single crafted image pull. You should patch within 24 hours.
  • Seven networking bugs fixed. UDP containers that share the same port on different IPs will no longer drop connection entries when one container restarts. The userland proxy will stop losing UDP datagrams silently.
  • docker system df now reports accurate shared and unique sizes. If you use that command to monitor disk usage, your numbers will finally be correct.
  • deprecated build utilities removed. If you call any of those functions from a Go SDK project, update your imports now.

Who Should Upgrade

This release is particularly relevant for API developers building integrations and DevOps teams managing deployments. If you run Docker in production, upgrade immediately to protect against CVE-2026-32288. Networking teams managing UDP services or Swarm with large state should also update. If you use custom CAs or insecure registries with containerd, the auth token fix will prevent 401 errors.

How to Upgrade

  1. Check your current Docker version: docker --version should show 29.5.0.
  2. On Ubuntu/Debian: run sudo apt update && sudo apt upgrade docker-ce docker-ce-cli containerd.io.
  3. On CentOS/RHEL: run sudo yum update docker-ce docker-ce-cli containerd.io.
  4. On macOS or Windows: download the latest Docker Desktop from the official site and install.
  5. Verify the upgrade: docker version should show Client and Server version 29.5.0.

Usage Examples

  • Time-namespace flag: If you need to disable the newly enabled private time namespace, pass --feature-no-time-namespaces to dockerd or set features.time-namespaces: false in daemon.json.
  • docker system df: Run docker system df -v to see corrected SHARED SIZE and UNIQUE SIZE values. This helps plan storage capacity.
  • Health status in ps: Use docker ps --format '{{.HealthStatus}}' to display container health in scripts.

Feature Flow

Known Issues

  • No known issues reported in official notes.

Official Release Notes

View full release notes on GitHub β†’

πŸ› οΈ Try These Free Tools

🐳 Dockerfile Security Linter

Paste a Dockerfile for instant security and best-practice analysis.

πŸ—ΊοΈ Upgrade Path Planner

Plan your upgrade path with breaking change warnings and step-by-step guidance.

πŸ“¦ Container Base Image Picker

Get Docker base image recommendations for your requirements.

See all free tools β†’

Track These Releases

Bun Releases Debian Releases Alpine Linux Releases

Stay Updated

Get the best releases delivered monthly. No spam, unsubscribe anytime.

By subscribing you agree to our Privacy Policy.

More Docker Articles

How-To May 20, 2026
How to disable time namespaces in Docker Engine v29.5.0 β€” [docker] time-namespaces flag
Release Guide May 20, 2026
docker v29.5.0: Security Patches and Bug Fixes
Release Guide May 19, 2026
docker v29.5.0: Security Fixes & Bug Patches
Release Guide May 18, 2026
docker v29.5.0: Bug Fixes and Security
View all Docker releases →