Engine Release Notes

Bug fixes and enhancements

• docker cp: report both content size and transferred size
• Fix docker stats --all still showing containers that were removed
• Fix a rare bug that could cause containers to become unremovable
• Fixed privileged containers losing their explicit AppArmor profile after a container restart
• Improved duplicate container-exit handling by using live containerd task state
• Improved image pull and push performance by enabling HTTP keep-alive for registry connections
• shell completions: add shell completion for docker rm --link and exclude legacy links for container names
• shell completions: don't provide completions that were already used
• Update runc (in static binaries) to v1.3.5
• Windows: Fix DOCKER_TMPDIR not being respected

Packaging updates

• Update BuildKit to v0.29.0

Networking

• Prevent a daemon crash during startup after upgrading if a container config contains a malformed IP-address

Go SDK

• cli/streams: Out, In: preserve original os.File when available
• Update minimum go version to go1.25

Deprecations

• Go SDK: cli-plugins/hooks: deprecate HookMessage and rename to cli-plugins/hooks.Response
• Go SDK: cli-plugins/hooks: deprecate HookType and rename to cli-plugins/hooks.ResponseType
• Go SDK: cli-plugins/manager: deprecate HookPluginData and move to cli-plugins/hooks.Request

Security fixes:

• CVE-2026-34040: Fix an authorization bypass in AuthZ plugins GHSA-x744-4wpc-v9h2
• CVE-2026-33997: Fix a flaw in docker plugin install where privilege validation could be partially bypassed GHSA-pxq6-2prw-chj9
• CVE-2026-33748: Fix insufficient validation of Git URL #ref:subdir fragments in BuildKit GHSA-4vrq-3vrq-g6gg
• CVE-2026-33747: Fix a vulnerability in BuildKit where an untrusted frontend could write files outside the state directory GHSA-3c29-8rgm-jvjj

Bug fixes:

• Fix a daemon crash during docker build if .dockerignore contained an invalid pattern
• Fix a panic when the containerd client uses a closed stream

Updates:

• Update containerd to v2.2.2
• Update Go runtime to 1.25.8

New features:

• Add bind-create-src option to --mount flag for bind mounts
• CLI plugin hooks now fire on command failure and plugins can use "error-hooks" to show hints only when commands fail
• Lower minimum API version from v1.44 to v1.40 (Docker 19.03)

Networking:

• Fix DNS config corruption on daemon reload

API changes:

• POST /networks/{id}/connect now correctly applies the MacAddress field in EndpointSettings
• GET /images/json now supports an identity query parameter for manifest summaries and trusted identity information

Bug fixes and enhancements:

• The --gpus option now uses CDI-based injection for AMD GPUs
• Add sd_notify notifications for daemon reload protocol
• Fix docker system prune failing with "rw layer snapshot not found"
• Fix panic when running docker top on non-running Windows container
• Fix regression preventing dockerd service registration on Windows
• Fix shared mount detection for bind propagation
• Preserve leading and trailing whitespace in registry passwords
• Update Go runtime to 1.25.7 and BuildKit to v0.28.0

Bug fixes:

• Update BuildKit to v0.27.1
• Fix docker system df failing when run concurrently with docker system prune
• Fix daemon handling of duplicate container exit events
• Fix panic after failed daemon initialization
• Fix encrypted overlay networks not passing traffic to containers on v28 and older Engines
• Fix potential panic on docker network prune

New features:

• docker info now includes NRI section
• Add experimental NRI support
• New Identity field in inspect endpoint showing trusted origin information about images

Bug fixes and enhancements:

• Improve validation of --detach-keys command-line options
• Remove restriction on anonymous read-only volumes
• The --validate flag on dockerd now verifies system requirements
• Handle --gpus requests for NVIDIA devices using CDI

Rootless:

• Consider $XDG_CONFIG_HOME/cdi and $XDG_RUNTIME_DIR/cdi for CDI devices
• Update RootlessKit to v2.3.6

API:

• Natively support gRPC on the listening socket

Deprecations:

• Remove %PROGRAMDATA%\Docker\cli-plugins from CLI plugin paths on Windows

Updates:

• Update BuildKit to v0.27.0
• Update containerd to v2.2.1

Networking:

• Fixed a regression where established network connections could be disrupted during a container's shutdown grace period

Updates:

• Update Go runtime to 1.25.6

Bug fixes:

• Fix docker run --network none panic on Windows
• Fix image mounts failing with "file name too long" for long mount paths
• Fix potential creation of orphaned overlay2 layers

Updates:

• Update BuildKit to v0.26.3

Bug fixes and enhancements:

• Add shell completion for docker stack deploy --compose-file
• containerd image store: Fix a bug causing docker build to ignore the explicitly set unpack image exporter option
• Fix docker image ls dangling image handling
• Fix a bug that could cause the Engine to leave containers with autoremove set in 'dead' state on shutdown
• Fix build on i386
• Fix explicit graphdriver configuration being treated as containerd snapshotter when prior graphdriver state exists
• Fix potential creation of orphaned overlay2 layers

Networking:

• Allow creation of a container with a specific IP address when its networks were not configured with a specific subnet
• Don't crash when starting a container created via the API before upgrade to v29.1.2

Navigation and documentation interface for Docker. No release information provided.