Docker 29.5.0: Bug Fixes and Security Patch

The docker 29.5.0 release notes landed on May 14 with a heavy dose of bug fixes, a critical security patch, and a handful of new features. This maintenance release fixes 13 bugs, addresses CVE-2026-32288, and adds time namespace support by default. The changelog runs deep. It covers networking, storage reporting, logging, and swarm reliability. For teams running Docker in production, this is a must-read release. Skip it, and you might leave your daemon exposed to a denial-of-service attack from a malicious image.

This major maintenance release is recommended for all Docker users. It patches a high-severity CVE, fixes long-standing bugs in networking and storage reporting, and enables time namespaces for better container isolation. Upgrade now to close the security gap and improve system stability.

What Changed

• New feature: Time namespaces: Enabled by default on supported kernels. Also adds a --time-namespaces feature flag to disable it.
• Local logging driver: Now supports custom attributes via label, label-regex, env, env-regex, and tag options.
• Windows daemon: Supports listening on a Unix socket (-H unix://...) with optional group-based access control (--group).
• Security fix: CVE-2026-32288 fixes a denial-of-service vulnerability. Maliciously crafted images could cause unbounded memory allocation.
• Bug fix: Auth token requests: containerd integration now respects per-host TLS settings (custom CAs, insecure registries).
• Bug fix: Image filtering: docker image ls --filter reference=... now matches fully qualified canonical image names.
• Bug fix: Swarm autolock: Leaving an autolock-enabled swarm no longer leaves orphaned state that blocks future swarm init.
• Bug fix: Storage reporting: docker system df -v now correctly reports shared and unique sizes.
• Bug fix: Volume subpath: File mounts over existing files in the image no longer fail with “not a directory”.
• Bug fix: Conntrack cleanup: UDP containers sharing the same port on different IPs no longer lose conntrack entries when one container restarts.
• Bug fix: Stale DNS records: Swarm service network aliases are properly cleaned up during rolling updates.
• Bug fix: UDP proxy drops: Userland proxy no longer silently drops UDP datagrams after a backend write error.
• Rootless improvements: Proper support for --net=host and localhost registries.
• Deprecations: Removed several deprecated CLI build utilities (DefaultDockerfileName, DetectArchiveReader, IsArchive, ResolveAndValidateContextPath, WriteTempDockerfile).
• Packaging updates: BuildKit updated to v0.30.0, Go runtime to 1.26.3, RootlessKit to v3.0.0.

Why It Matters

• Time namespaces give containers a consistent time view. This improves isolation for security-sensitive workloads.
• CVE-2026-32288 lets an attacker crash the daemon with a single malicious image. You must update to close this door.
• Windows Unix socket support simplifies management for hybrid environments running Docker on Windows.
• Auth token fix means registries with custom TLS configurations work again. No more auth errors for internal registries.
• Storage size fix gives you accurate disk usage reports. No more surprises when planning capacity.

Who Should Upgrade

This release is particularly relevant for DevOps teams and system administrators running Docker in production. If you manage registries with custom TLS certificates, use docker system df for capacity planning, or run swarm services with rolling updates, upgrade immediately. Teams on Windows using Docker should also upgrade to gain Unix socket support. Rootless users will benefit from proper --net=host support. Anyone using the deprecated CLI build utilities should migrate to the newer Docker BuildKit workflows.

How to Upgrade

1. Check you currrent version: docker version
2. Download the latest package from Docker’s official repository: sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io (for Debian/Ubuntu). For other platforms, use the appropriate package manager or Docker Desktop.
3. Stop the Docker daemon: sudo systemctl stop docker
4. Install the new version: follow the package manager update or run the installer.
5. Restart the daemon: sudo systemctl start docker
6. Verify the upgrade: docker version should show version 29.5.0.
7. For rootless installs, update RootlessKit via your package manager or by re-running the rootless installation script.

Usage Examples

• Enable time namespaces: By default, time namespaces are active on kernels that support them. To disable them, start the daemon with --feature-flags time-namespaces=false.
• Filter images by canonical name: Now docker image ls --filter reference='docker.io/library/alpine' returns the correct list. Previously you had to use just alpine.
• Check container health state: Use docker ps --format '{{.ID}} {{.HealthStatus}}' to see starting, healthy, or unhealthy in a dedicated column.
• Use custom log attributes: Start a container with docker run --log-opt tag='{{.Name}}/{{.ID}}' --log-opt labels=region to tag logs with container name and ID, plus a region label.
• Windows Unix socket: Start the daemon with dockerd -H unix:///var/run/docker.sock --group docker-users to allow access to members of the docker-users group.

Breaking Changes

• Deprecated CLI build utilities removed: Scripts using DefaultDockerfileName, DetectArchiveReader, IsArchive, ResolveAndValidateContextPath, or WriteTempDockerfile will break. Migrate to Docker BuildKit or the modern CLI APIs.

Known Issues

• No known issues reported in the official release notes.

Feature Flow

Official Release Notes

View full release notes on GitHub →

🛠️ Try These Free Tools

See all free tools →