{"id":"prod_kACmzmY4csLN22Kb-ITJX","name":"Engine","slug":"docker-engine","orgId":"org_WksM2ycywd9De6Cqqs9es","url":null,"description":"Container runtime engine","category":"developer-tools","kind":"platform","avatarUrl":null,"createdAt":"2026-04-10T16:21:25.847Z","embeddedAt":"2026-04-15T16:19:41.929Z","deletedAt":null,"sources":[{"id":"src_l_VnEKB66CQF5ISycqkRd","slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape","url":"https://docs.docker.com/engine/release-notes/29/","metadata":"{\"noFeedFound\":true,\"pageEtag\":\"W/\\\"d9bbbbc461a7dc0fab1c3f7410602734\\\"\",\"pageLastModified\":\"Fri, 10 Jul 2026 10:34:20 GMT\",\"pageContentLength\":\"650685\",\"sourceActor\":{\"nextAlarmAt\":null,\"lastAlarmAt\":\"2026-07-10T16:09:56.959Z\",\"managed\":false}}","kind":"platform"}],"tags":["containers","runtime"],"aliases":[],"notice":null,"releases":[{"id":"rel_QYTvjYZIYTOMsKbKDt5fe","version":"29.6.1","type":"feature","title":"29.6.1","summary":"### Security\n\nThis release includes fixes for multiple security vulnerabilities affecting Docker Engine.\n\n* A malicious image could supply a malicious...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### Security\n\nThis release includes fixes for multiple security vulnerabilities affecting Docker Engine.\n\n* A malicious image could supply a malicious `/etc/passwd` or `/etc/group`-style file causing excessive memory consumption, potentially resulting in process termination due to Out Of Memory (OOM) conditions. [GHSA-mjcv-p78q-w5fw](https://github.com/moby/sys/security/advisories/GHSA-mjcv-p78q-w5fw), [GHSA-jpcc-p29g-p8mq](https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq), [GHSA-72x6-4j93-7w86](https://github.com/moby/buildkit/security/advisories/GHSA-72x6-4j93-7w86)\n* A custom frontend could send a crafted build request that disabled Seccomp and AppArmor protections for the build container, even if the user did not explicitly allow the security.insecure entitlement. [GHSA-7236-3392-c5c6](https://github.com/moby/buildkit/security/advisories/GHSA-7236-3392-c5c6)\n\n### Bug fixes and enhancements\n\n* Update containerd (static binaries) to [v2.2.5](https://github.com/containerd/containerd/releases/tag/v2.2.5).\n\n### Packaging updates\n\n* Update BuildKit to [v0.31.1](https://github.com/moby/buildkit/releases/tag/v0.31.1).","publishedAt":"2026-06-26T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-6-1","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":1163,"contentTokens":327,"composition":null},{"id":"rel__5zLo_MxFwjUv5a9gdWZk","version":"29.6.0","type":"feature","title":"29.6.0","summary":"### New\n\n- `POST /containers/{id}/update` now supports per-device blkio resource settings\n- Add `GET /images/{name}/attestations` endpoint to retrieve...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### New\n\n- `POST /containers/{id}/update` now supports per-device blkio resource settings\n- Add `GET /images/{name}/attestations` endpoint to retrieve in-toto attestation statements (such as SLSA provenance and SPDX SBOM) attached to an image\n\n### Bug fixes and enhancements\n\n- `docker image push` now respects `NO_COLOR`\n- containerd image store: Fix `docker system prune` to include unpacked image data when reporting reclaimed space\n- Fix `docker system df` image size reporting to count only snapshots directly used by images\n- Fix a bug where registry authentication failures during worker image pulls were reported as a misleading \"No such image\" error\n- Fix default BuildKit GC policy to prune reproducible cache types as intended\n- Fix explicit file modes being filtered by the daemon umask, including `COPY --chmod` permissions\n- Fix image selection with the containerd image store on amd64 hosts when images provide amd64 variant-specific manifests\n- The `--password` flag on `docker login` now accepts `-` to pass the password through STDIN as alternative to `--password-stdin`\n\n### Packaging updates\n\n- Update runc (in static binaries) to v1.3.6\n- Update BuildKit to v0.31.0\n\n### Networking\n\n- Allow the nftables firewall mode to be used with a daemon that is linked against libnftables when the `nft` command is not installed on the system\n- Don't publish container ports on host ports listed in `net.ipv4.ip_local_reserved_ports` when dynamically allocating ports\n- Fix a race condition in overlay network bulk sync that caused ~30s DNS resolution delays on newly joined swarm nodes\n- Mitigate a crash in libnftables when using nftables as the firewall backend by changing the default build option\n\n### Rootless\n\n- Silence the spurious warning \"IPv4 forwarding is disabled\"\n\n### Deprecations\n\n- The Engine now returns a deprecation warning when a container connected to the default bridge is created with links specified","publishedAt":"2026-06-18T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-6-0","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":1934,"contentTokens":429,"composition":null},{"id":"rel_k6iLycuCbC30S0t32mywr","version":"29.5.3","type":"feature","title":"29.5.3","summary":"### Bug fixes and enhancements\n\n* Reduce `docker system df` errors when images are pruned at the same time with the containerd image store. [moby/moby...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### Bug fixes and enhancements\n\n* Reduce `docker system df` errors when images are pruned at the same time with the containerd image store. [moby/moby#52672](https://github.com/moby/moby/pull/52672)\n\n### Packaging updates\n\n* Update containerd (static binaries only) to [v2.2.4](https://github.com/containerd/containerd/releases/tag/v2.2.4). [moby/moby#52683](https://github.com/moby/moby/pull/52683)\n* Update Go runtime to [1.26.4](https://go.dev/doc/devel/release#go1.26.4). [moby/moby#52753](https://github.com/moby/moby/pull/52753), [docker/cli#7025](https://github.com/docker/cli/pull/7025)\n\n### Rootless\n\n* Fix AWS IMDS access with `gvisor-tap-vsock` and UDP port forwarding for non-loopback clients. [moby/moby#52710](https://github.com/moby/moby/pull/52710)\n* Fix installation of plugins that require host networking. [moby/moby#52735](https://github.com/moby/moby/pull/52735)\n* Update RootlessKit to [v3.0.1](https://github.com/rootless-containers/rootlesskit/releases/tag/v3.0.1). [moby/moby#52710](https://github.com/moby/moby/pull/52710)","publishedAt":"2026-06-03T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-5-3","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":1048,"contentTokens":327,"composition":null},{"id":"rel_SKtjCSR1fNX-RqkO0qNr3","version":"29.5.2","type":"feature","title":"29.5.2","summary":"**Bug fixes and enhancements**\n\n* Fix a regression introduced in 29.5.1 where `docker cp` failed with \"mkdirat: file exists\" when a container had a bi...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Bug fixes and enhancements**\n\n* Fix a regression introduced in 29.5.1 where `docker cp` failed with \"mkdirat: file exists\" when a container had a bind mount whose target traversed an in-container symlink (e.g. `/var/run -> /run`). [moby/moby#52655](https://github.com/moby/moby/pull/52655)","publishedAt":"2026-05-20T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-5-2","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":291,"contentTokens":81,"composition":null},{"id":"rel_ogPODg67KNhq8ZWUKLX-6","version":"29.5.1","type":"feature","title":"29.5.1","summary":"**Security**\n\nThis release includes fixes for multiple security vulnerabilities affecting Docker Engine.\n\n* **CVE-2026-41567** Fix a vulnerability in ...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Security**\n\nThis release includes fixes for multiple security vulnerabilities affecting Docker Engine.\n\n* **CVE-2026-41567** Fix a vulnerability in `docker cp` where archive decompression binaries (e.g. `xz`, `unpigz`) were resolved via `PATH` inside the container filesystem while running as host root, allowing a malicious container to execute arbitrary binaries with host root privileges. [GHSA-x86f-5xw2-fm2r](https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r)\n* **CVE-2026-41568** Fix a TOCTOU vulnerability in `docker cp` that allowed a container process to create files or directories at arbitrary locations on the host filesystem. [GHSA-vp62-88p7-qqf5](https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5)\n* **CVE-2026-42306** Fix a TOCTOU vulnerability in `docker cp` that allowed a container process to redirect a bind mount to an arbitrary location on the host filesystem. [GHSA-rg2x-37c3-w2rh](https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh)\n\n**Networking**\n\n* Fix UDP conntrack entries not being deleted when not bound to a specific IP address. [moby/moby#52640](https://github.com/moby/moby/pull/52640)","publishedAt":"2026-05-18T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-5-1","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":1176,"contentTokens":330,"composition":null},{"id":"rel_oZwE44_3D4aN-ZXkNDenX","version":"29.5.0","type":"feature","title":"29.5.0","summary":"**New**\n\n* Rootless: Add new default `gvisor-tap-vsock` network driver. [moby/moby#52319](https://github.com/moby/moby/pull/52319)\n* Enable private ti...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**New**\n\n* Rootless: Add new default `gvisor-tap-vsock` network driver. [moby/moby#52319](https://github.com/moby/moby/pull/52319)\n* Enable private time namespace for containers by default on supported kernels. [moby/moby#52326](https://github.com/moby/moby/pull/52326)\n* The `local` logging driver now has support for custom attributes, adding support for the `label`, `label-regex`, `env`, `env-regex`, and `tag` log options. [moby/moby#52348](https://github.com/moby/moby/pull/52348)\n* Windows: The daemon now supports listening on a Unix socket (`-H unix://...`), with optional group-based access control via `--group`. [moby/moby#52365](https://github.com/moby/moby/pull/52365)\n\n**Security**\n\n* CVE-2026-32288: Fix a denial of service where pulling a maliciously crafted image could cause the daemon to allocate unbounded memory when processing sparse tar archives. [GHSA-x4jj-h2v8-hqqv](https://github.com/advisories/GHSA-x4jj-h2v8-hqqv). [moby/moby#52478](https://github.com/moby/moby/pull/52478)\n\n**Bug fixes and enhancements**\n\n* `docker ps --format` now supports a `.HealthStatus` placeholder to print container health state (`starting`, `healthy`, `unhealthy`) as a dedicated field. [docker/cli#6913](https://github.com/docker/cli/pull/6913)\n* Add \"time-namespaces\" feature flag to disable time-namespaces. [moby/moby#52577](https://github.com/moby/moby/pull/52577)\n* containerd integration: Fix auth token requests ignoring per-host TLS settings (custom CAs, insecure-registries). [moby/moby#52600](https://github.com/moby/moby/pull/52600)\n* Daemon reload events now signify that the daemon reload has fully completed. [moby/moby#52589](https://github.com/moby/moby/pull/52589)\n* Expose diagnostic data about userland proxy in `docker info`. [moby/moby#52321](https://github.com/moby/moby/pull/52321)\n* Fix `docker image ls --filter reference=...` (`GET /images/json`) to also match fully qualified canonical image names (e.g. `docker.io/library/alpine`), not only the familiar short form. [moby/moby#52333](https://github.com/moby/moby/pull/52333)\n* Fix a bug where leaving an autolock-enabled swarm could leave orphaned state, causing subsequent swarm init to fail with \"Swarm is encrypted and needs to be unlocked\". [moby/moby#52479](https://github.com/moby/moby/pull/52479)\n* Fix an issue where logging errors appeared as empty strings in the daemon log instead of the message that failed to write. [moby/moby#52442](https://github.com/moby/moby/pull/52442)\n* Fix incorrect SHARED SIZE and UNIQUE SIZE reporting in `docker system df -v` by including shared content blobs in size calculation. [moby/moby#52482](https://github.com/moby/moby/pull/52482)\n* Fix support for CDI specifications that request additional group IDs. [moby/moby#52579](https://github.com/moby/moby/pull/52579)\n* Fix volume subpath file mounts over an existing file in the image failing container creation with \"not a directory\". [moby/moby#52584](https://github.com/moby/moby/pull/52584)\n* Sort labels in `volume`, `network`, `config`, and `secret` formatters for deterministic output. [docker/cli#6954](https://github.com/docker/cli/pull/6954)\n* Swarm: Prevent corruption of Raft snapshots when swarm state is large. [moby/moby#52441](https://github.com/moby/moby/pull/52441)\n\n**Packaging updates**\n\n* Update BuildKit to [v0.30.0](https://github.com/moby/buildkit/releases/tag/v0.30.0). [moby/moby#52618](https://github.com/moby/moby/pull/52618)\n* Update Go runtime to [1.26.3](https://go.dev/doc/devel/release#go1.26.3). [moby/moby#52572](https://github.com/moby/moby/pull/52572), [docker/cli#6967](https://github.com/docker/cli/pull/6967)\n\n**Networking**\n\n* Fix conntrack entries being incorrectly deleted for UDP containers sharing the same port on different IPs when one container is restarted. [moby/moby#52423](https://github.com/moby/moby/pull/52423)\n* Fix stale VIP DNS records for swarm service network aliases not being removed during rolling updates. [moby/moby#52236](https://github.com/moby/moby/pull/52236)\n* Fix the userland proxy silently dropping UDP datagrams when a previous write to an unavailable backend left a stale ECONNREFUSED error on the socket. [moby/moby#52483](https://github.com/moby/moby/pull/52483)\n* Rootless: Properly support `--net=host` and localhost registries. [moby/moby#47103](https://github.com/moby/moby/pull/47103)\n\n**Rootless**\n\n* Update RootlessKit to [v3.0.0](https://github.com/rootless-containers/rootlesskit/releases/tag/v3.0.0). [moby/moby#52319](https://github.com/moby/moby/pull/52319)\n\n**Go SDK**\n\n* cli/config/configfile: `GetAuthConfig`, `GetCredentialsStore`: normalize hostname when resolving auth. [docker/cli#6846](https://github.com/docker/cli/pull/6846)\n\n**Deprecations**\n\n* cli/command/image/build: remove deprecated `DefaultDockerfileName` const. [docker/cli#6737](https://github.com/docker/cli/pull/6737)\n* cli/command/image/build: remove deprecated `DetectArchiveReader` util. [docker/cli#6737](https://github.com/docker/cli/pull/6737)\n* cli/command/image/build: remove deprecated `IsArchive` utility. [docker/cli#6737](https://github.com/docker/cli/pull/6737)\n* cli/command/image/build: remove deprecated `ResolveAndValidateContextPath` util. [docker/cli#6737](https://github.com/docker/cli/pull/6737)\n* cli/command/image/build: remove deprecated `WriteTempDockerfile` util. [docker/cli#6737](https://github.com/docker/cli/pull/6737)","publishedAt":"2026-05-14T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-5-0","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":5389,"contentTokens":1499,"composition":null},{"id":"rel_jzybaS_Eb0RyeCHjUu_7n","version":"29.4.3","type":"feature","title":"29.4.3","summary":"CVE-2026-31431, which exposed AF_ALG sockets to 32-bit programs, is patched by replacing the socketcall(2) seccomp deny with targeted AppArmor (deny network alg) and SELinux (alg_socket) rules at the LSM layer. On SELinux systems, this requires `selinux-enabled: true` in daemon.json or via the `--selinux-enabled` flag. Also fixed the default AppArmor profile not being updated on daemon restart, which previously required a system reboot to pick up profile changes from upgrades.","titleGenerated":"Docker Engine 29.4.3 fixes CVE-2026-31431 AF_ALG socket exposure","titleShort":"CVE-2026-31431 AF_ALG socket exposure patched","breaking":"unknown","importance":null,"content":"### Security\n\n* **CVE-2026-31431**: Replace the socketcall(2) seccomp deny that broke 32-bit programs with targeted AppArmor (deny network alg) and SELinux (alg_socket) rules that block AF_ALG at the LSM layer, covering both socket(2) and socketcall(2) paths without disrupting legitimate 32-bit workloads. [moby/moby#52537](https://github.com/moby/moby/pull/52537)\nOn SELinux-based systems, the SELinux mitigation requires the daemon to be configured with `selinux-enabled: true` (via `daemon.json` or the `--selinux-enabled` CLI flag). This option is not enabled by default.\n* Fix the default AppArmor profile not being updated on daemon restart, requiring a system reboot to pick up profile changes from daemon upgrades. [moby/moby#52537](https://github.com/moby/moby/pull/52537)","publishedAt":"2026-05-06T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-4-3","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_EmKaF2OsjTvOvl_aS_-hi","version":"29.4.2","type":"feature","title":"29.4.2","summary":"### Security\n\nThis release includes hardening for **CVE-2026-31431**.\n\n* Block `AF_ALG` sockets and the `socketcall(2)` multiplexer in the default sec...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### Security\n\nThis release includes hardening for **CVE-2026-31431**.\n\n* Block `AF_ALG` sockets and the `socketcall(2)` multiplexer in the default seccomp profile to prevent in-container privilege escalation via the kernel crypto API (\"Copy Fail\"). [moby/moby#52501](https://github.com/moby/moby/pull/52501)","publishedAt":"2026-05-01T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-4-2","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_X3hQXk8dM_iJUG4l7cLNP","version":"29.4.1","type":"feature","title":"29.4.1","summary":"### Bug fixes and enhancements\n\n* containerd image store: Fix `docker image prune --filter label!=key=value` incorrectly skipping images that don't ha...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### Bug fixes and enhancements\n\n* containerd image store: Fix `docker image prune --filter label!=key=value` incorrectly skipping images that don't have the specified label. [moby/moby#52338](https://github.com/moby/moby/pull/52338)\n* Fix `--log-opt \"tag={{.ImageID}}\"` not stripping the digest's algorithm. [moby/moby#52343](https://github.com/moby/moby/pull/52343)\n* Fix intermittent container start failures (`EBUSY` on secrets/configs remount) on busy Swarm nodes by retrying the read-only remount. [moby/moby#52235](https://github.com/moby/moby/pull/52235)\n\n### Packaging updates\n\n* Update containerd (static binaries only) to [v2.2.3](https://github.com/containerd/containerd/releases/tag/v2.2.3). [moby/moby#52360](https://github.com/moby/moby/pull/52360)\n* Update Go runtime to [1.26.2](https://go.dev/doc/devel/release#go1.26.2). [docker/cli#6920](https://github.com/docker/cli/pull/6920), [moby/moby#52329](https://github.com/moby/moby/pull/52329)\n\n### Networking\n\n* if a container has an IPv4-only or an IPv6-only endpoint with higher \"gateway priority\" than a dual stack endpoint, the single stack endpoint will now be used as the default gateway for its address family. [moby/moby#52328](https://github.com/moby/moby/pull/52328)","publishedAt":"2026-04-20T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-4-1","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_vQEH5ut1heGTcsUl5e8GI","version":"29.4.0","type":"feature","title":"29.4.0","summary":"### Bug fixes and enhancements\n\n* docker cp: report both content size and transferred size\n* Fix `docker stats --all` still showing containers that we...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"### Bug fixes and enhancements\n\n* docker cp: report both content size and transferred size\n* Fix `docker stats --all` still showing containers that were removed\n* Fix a rare bug that could cause containers to become unremovable\n* Fixed privileged containers losing their explicit AppArmor profile after a container restart\n* Improved duplicate container-exit handling by using live containerd task state\n* Improved image pull and push performance by enabling HTTP keep-alive for registry connections\n* shell completions: add shell completion for `docker rm --link` and exclude legacy links for container names\n* shell completions: don't provide completions that were already used\n* Update runc (in static binaries) to v1.3.5\n* Windows: Fix `DOCKER_TMPDIR` not being respected\n\n### Packaging updates\n\n* Update BuildKit to v0.29.0\n\n### Networking\n\n* Prevent a daemon crash during startup after upgrading if a container config contains a malformed IP-address\n\n### Go SDK\n\n* cli/streams: Out, In: preserve original os.File when available\n* Update minimum go version to go1.25\n\n### Deprecations\n\n* Go SDK: cli-plugins/hooks: deprecate `HookMessage` and rename to `cli-plugins/hooks.Response`\n* Go SDK: cli-plugins/hooks: deprecate `HookType` and rename to `cli-plugins/hooks.ResponseType`\n* Go SDK: cli-plugins/manager: deprecate `HookPluginData` and move to `cli-plugins/hooks.Request`","publishedAt":"2026-04-07T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-4-0","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_lsuNAkd4eEYN3R2_tKaDw","version":"29.3.1","type":"feature","title":"29.3.1","summary":"**Security fixes:**\n- CVE-2026-34040: Fix an authorization bypass in AuthZ plugins [GHSA-x744-4wpc-v9h2](https://github.com/moby/moby/security/advisor...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Security fixes:**\n- CVE-2026-34040: Fix an authorization bypass in AuthZ plugins [GHSA-x744-4wpc-v9h2](https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2)\n- CVE-2026-33997: Fix a flaw in `docker plugin install` where privilege validation could be partially bypassed [GHSA-pxq6-2prw-chj9](https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9)\n- CVE-2026-33748: Fix insufficient validation of Git URL `#ref:subdir` fragments in BuildKit [GHSA-4vrq-3vrq-g6gg](https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg)\n- CVE-2026-33747: Fix a vulnerability in BuildKit where an untrusted frontend could write files outside the state directory [GHSA-3c29-8rgm-jvjj](https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj)\n\n**Bug fixes:**\n- Fix a daemon crash during docker build if `.dockerignore` contained an invalid pattern\n- Fix a panic when the containerd client uses a closed stream\n\n**Updates:**\n- Update containerd to v2.2.2\n- Update Go runtime to 1.25.8","publishedAt":"2026-03-25T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-3-1","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_qiwiyMwrK-2zbDQALKQC1","version":"29.3.0","type":"feature","title":"29.3.0","summary":"**New features:**\n- Add `bind-create-src` option to `--mount` flag for bind mounts\n- CLI plugin hooks now fire on command failure and plugins can use ...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**New features:**\n- Add `bind-create-src` option to `--mount` flag for bind mounts\n- CLI plugin hooks now fire on command failure and plugins can use \"error-hooks\" to show hints only when commands fail\n- Lower minimum API version from v1.44 to v1.40 (Docker 19.03)\n\n**Networking:**\n- Fix DNS config corruption on daemon reload\n\n**API changes:**\n- `POST /networks/{id}/connect` now correctly applies the `MacAddress` field in `EndpointSettings`\n- `GET /images/json` now supports an `identity` query parameter for manifest summaries and trusted identity information\n\n**Bug fixes and enhancements:**\n- The `--gpus` option now uses CDI-based injection for AMD GPUs\n- Add `sd_notify` notifications for daemon reload protocol\n- Fix `docker system prune` failing with \"rw layer snapshot not found\"\n- Fix panic when running `docker top` on non-running Windows container\n- Fix regression preventing dockerd service registration on Windows\n- Fix shared mount detection for bind propagation\n- Preserve leading and trailing whitespace in registry passwords\n- Update Go runtime to 1.25.7 and BuildKit to v0.28.0","publishedAt":"2026-03-05T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-3-0","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_-DpZOxLUCHrvYsObB5QjX","version":"29.2.1","type":"feature","title":"29.2.1","summary":"**Bug fixes:**\n- Update BuildKit to v0.27.1\n- Fix `docker system df` failing when run concurrently with `docker system prune`\n- Fix daemon handling of...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Bug fixes:**\n- Update BuildKit to v0.27.1\n- Fix `docker system df` failing when run concurrently with `docker system prune`\n- Fix daemon handling of duplicate container exit events\n- Fix panic after failed daemon initialization\n- Fix encrypted overlay networks not passing traffic to containers on v28 and older Engines\n- Fix potential panic on `docker network prune`","publishedAt":"2026-02-02T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-2-1","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_4z8ifQw9qpSLa8ihijRSV","version":"29.2.0","type":"feature","title":"29.2.0","summary":"**New features:**\n- `docker info` now includes `NRI` section\n- Add experimental NRI support\n- New `Identity` field in inspect endpoint showing trusted...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**New features:**\n- `docker info` now includes `NRI` section\n- Add experimental NRI support\n- New `Identity` field in inspect endpoint showing trusted origin information about images\n\n**Bug fixes and enhancements:**\n- Improve validation of `--detach-keys` command-line options\n- Remove restriction on anonymous read-only volumes\n- The `--validate` flag on dockerd now verifies system requirements\n- Handle `--gpus` requests for NVIDIA devices using CDI\n\n**Rootless:**\n- Consider `$XDG_CONFIG_HOME/cdi` and `$XDG_RUNTIME_DIR/cdi` for CDI devices\n- Update RootlessKit to v2.3.6\n\n**API:**\n- Natively support gRPC on the listening socket\n\n**Deprecations:**\n- Remove `%PROGRAMDATA%\\Docker\\cli-plugins` from CLI plugin paths on Windows\n\n**Updates:**\n- Update BuildKit to v0.27.0\n- Update containerd to v2.2.1","publishedAt":"2026-01-26T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-2-0","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_xsDgX5lTG6Kq7Gh9e2_Lx","version":"29.1.5","type":"feature","title":"29.1.5","summary":"**Networking:**\n- Fixed a regression where established network connections could be disrupted during a container's shutdown grace period\n\n**Updates:**...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Networking:**\n- Fixed a regression where established network connections could be disrupted during a container's shutdown grace period\n\n**Updates:**\n- Update Go runtime to 1.25.6","publishedAt":"2026-01-16T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-1-5","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_0Z9JuVTBaEhYk8K39T1hW","version":"29.1.4","type":"feature","title":"29.1.4","summary":"**Bug fixes:**\n- Fix `docker run --network none` panic on Windows\n- Fix image mounts failing with \"file name too long\" for long mount paths\n- Fix pote...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Bug fixes:**\n- Fix `docker run --network none` panic on Windows\n- Fix image mounts failing with \"file name too long\" for long mount paths\n- Fix potential creation of orphaned overlay2 layers\n\n**Updates:**\n- Update BuildKit to v0.26.3","publishedAt":"2026-01-08T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-1-4","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_DV4ZjQ2PkwxvOtylUxJpG","version":"29.1.3","type":"feature","title":"29.1.3","summary":"**Bug fixes and enhancements:**\n- Add shell completion for `docker stack deploy --compose-file`\n- containerd image store: Fix a bug causing `docker bu...","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"**Bug fixes and enhancements:**\n- Add shell completion for `docker stack deploy --compose-file`\n- containerd image store: Fix a bug causing `docker build` to ignore the explicitly set `unpack` image exporter option\n- Fix `docker image ls` dangling image handling\n- Fix a bug that could cause the Engine to leave containers with autoremove set in 'dead' state on shutdown\n- Fix build on i386\n- Fix explicit graphdriver configuration being treated as containerd snapshotter when prior graphdriver state exists\n- Fix potential creation of orphaned overlay2 layers\n\n**Networking:**\n- Allow creation of a container with a specific IP address when its networks were not configured with a specific subnet\n- Don't crash when starting a container created via the API before upgrade to v29.1.2","publishedAt":"2025-12-12T00:00:00.000Z","url":"https://docs.docker.com/engine/release-notes/29/#29-1-3","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null},{"id":"rel_JmPjg2MBpMJ0Bs3v6qiCy","version":null,"type":"feature","title":"Ask me about Docker","summary":"Navigation and documentation interface for Docker. No release information provided.","titleGenerated":null,"titleShort":null,"breaking":"unknown","importance":null,"content":"Navigation and documentation interface for Docker. No release information provided.","publishedAt":null,"url":"https://docs.docker.com/engine/release-notes/29/","media":[],"prerelease":false,"source":{"slug":"docker-engine-release-notes","name":"Engine Release Notes","type":"scrape"},"product":{"slug":"docker-engine","name":"Engine"},"groupSlug":"docker-engine","groupName":"Engine","coverageCount":0,"contentChars":null,"contentTokens":null,"composition":null}],"pagination":{"nextCursor":null,"limit":20}}