Docker

Introduces a new reconciliation algorithm between observed and expected state, which may affect existing Compose workloads. Adds rawsetenv message type for provider plugins. Fixes include bypassing Docker Desktop proxy for loopback registries, honoring env_file required: false on publish, and skipping remote URL contexts from bake fs.read allowlist.

Introduced a new reconciliation algorithm between observed and expected container state, and added rawsetenv message type for provider plugins. Fixed TTY auto-detection via stderr, publish env_file handling with missing optional files, and skip validation when extracting config variables.

New

• POST /containers/{id}/update now supports per-device blkio resource settings
• Add GET /images/{name}/attestations endpoint to retrieve...

Local output now supports a mode=delete attribute that replaces the destination directory with the build result, restricted to subdirectories of the working directory by default. Resource limits for CPU and memory can be set via the --resource flag. Source policies support the BuildKit exec proxy feature for controlling build-step network traffic. Also fixes a possible closed channel panic.

Download Docker Desktop

• [Windows](https://desktop.docker.com/win/main/amd64/229452/Docker%20Desktop%20Installer.exe?utm%5Fsource=docker&utm%5...

4.77.0

2026-06-08

Download Docker Desktop

• [Windows](https://desktop.docker.com/win/main/amd64/228796/Docker%20Desktop%20Installer.exe?u...

Bug fixes and enhancements

• Reduce docker system df errors when images are pruned at the same time with the containerd image store. [moby/moby...

4.76.0

2026-06-01

New

• Docker Model Runner now supports registry mirrors.
• The docker sbom command has been removed. Use the [docker s...

4.75.0

2026-05-26

Updates

• Docker Offload v0.5.92
• Docker Engine v29.5.2
• [Doc...

Fixed OCI artifact pulls to route through Docker Desktop HTTP proxy and corrected literal inline environment values in the publish flag. Added a stop lifecycle hook for external providers and restored stoppingEvent/stoppedEvent helpers for plugin stop hook.

Fixed OCI artifact pulls to route through Docker Desktop HTTP proxy and corrected the publish command to properly flag literal inline environment values. Added a stop lifecycle hook for external providers and restored stoppingEvent/stoppedEvent helpers for plugin stop hooks.

Bug fixes and enhancements

• Fix a regression introduced in 29.5.1 where docker cp failed with "mkdirat: file exists" when a container had a bi...

Fixed a regression in the Bake command when building from Compose files with empty array values, and a possible panic in the Kubernetes driver when using statefulset.

4.74.0

2026-05-19

New

• Gordon is now generally available. New usage plans are also available. Paid ...

Security

This release includes fixes for multiple security vulnerabilities affecting Docker Engine.

• CVE-2026-41567 Fix a vulnerability in ...

New

• Rootless: Add new default gvisor-tap-vsock network driver. moby/moby#52319
• Enable private ti...

Buildx now supports a default source policy for Docker-provided build images (docker/dockerfile and docker/buildkit-syft-scanner) that are cryptographically verified before use, currently opt-in via the BUILDX_DEFAULT_POLICY environment variable with intent to enable by default in a future release. Kubernetes driver now supports persistent storage options using StatefulSet and persistent volume claims. Multiple fixes address progress policy error handling, dial-stdio connection closure, panic in debug command, Windows path handling in OCI layouts, cache misses from nondeterministic host ordering, and WSL GPU library mounting.

4.73.1

2026-05-13

Bug fixes and enhancements

For Windows

• Fixed a bug where Docker Desktop's own Electron processes were incorrectl...

4.73.0

2026-05-11

Updates

• Docker Engine v29.4.3
• [Docker Agent v1.54.0](https:...

Fixed CVE-2026-31431 ("copy.fail"), a privilege escalation vulnerability that allowed unprivileged container users to gain root access via the host VM page cache. Also fixed bugs where transient network errors during sign-in would unexpectedly sign users out instead of retrying, and where users were signed out mid-flow when signing in via docker login with OAuth. The Logs view is now generally available, and new Windows installations can choose between per-user (Beta) or all-user installs.