v29.5.0
New
- Rootless: Add new default
gvisor-tap-vsocknetwork driver. moby/moby#52319 - Enable private time namespace for containers by default on supported kernels. moby/moby#52326
- The
locallogging driver now has support for custom attributes, adding support for thelabel,label-regex,env,env-regex, andtaglog options. moby/moby#52348 - Windows: The daemon now supports listening on a Unix socket (
-H unix://...), with optional group-based access control via--group. moby/moby#52365
Security
- CVE-2026-32288: Fix a denial of service where pulling a maliciously crafted image could cause the daemon to allocate unbounded memory when processing sparse tar archives. GHSA-x4jj-h2v8-hqqv. moby/moby#52478
Bug fixes and enhancements
docker ps --formatnow supports a.HealthStatusplaceholder to print container health state (starting,healthy,unhealthy) as a dedicated field. docker/cli#6913- Add "time-namespaces" feature flag to disable time-namespaces. moby/moby#52577
- containerd integration: Fix auth token requests ignoring per-host TLS settings (custom CAs, insecure-registries). moby/moby#52600
- Daemon reload events now signify that the daemon reload has fully completed. moby/moby#52589
- Expose diagnostic data about userland proxy in
docker info. moby/moby#52321 - Fix
docker image ls --filter reference=...(GET /images/json) to also match fully qualified canonical image names (e.g.docker.io/library/alpine), not only the familiar short form. moby/moby#52333 - Fix a bug where leaving an autolock-enabled swarm could leave orphaned state, causing subsequent swarm init to fail with "Swarm is encrypted and needs to be unlocked". moby/moby#52479
- Fix an issue where logging errors appeared as empty strings in the daemon log instead of the message that failed to write. moby/moby#52442
- Fix incorrect SHARED SIZE and UNIQUE SIZE reporting in
docker system df -vby including shared content blobs in size calculation. moby/moby#52482 - Fix support for CDI specifications that request additional group IDs. moby/moby#52579
- Fix volume subpath file mounts over an existing file in the image failing container creation with "not a directory". moby/moby#52584
- Sort labels in
volume,network,config, andsecretformatters for deterministic output. docker/cli#6954 - Swarm: Prevent corruption of Raft snapshots when swarm state is large. moby/moby#52441
Packaging updates
- Update BuildKit to v0.30.0. moby/moby#52618
- Update Go runtime to 1.26.3. moby/moby#52572, docker/cli#6967
Networking
- Fix conntrack entries being incorrectly deleted for UDP containers sharing the same port on different IPs when one container is restarted. moby/moby#52423
- Fix stale VIP DNS records for swarm service network aliases not being removed during rolling updates. moby/moby#52236
- Fix the userland proxy silently dropping UDP datagrams when a previous write to an unavailable backend left a stale ECONNREFUSED error on the socket. moby/moby#52483
- Rootless: Properly support
--net=hostand localhost registries. moby/moby#47103
Rootless
- Update RootlessKit to v3.0.0. moby/moby#52319
Go SDK
- cli/config/configfile:
GetAuthConfig,GetCredentialsStore: normalize hostname when resolving auth. docker/cli#6846
Deprecations
- cli/command/image/build: remove deprecated
DefaultDockerfileNameconst. docker/cli#6737 - cli/command/image/build: remove deprecated
DetectArchiveReaderutil. docker/cli#6737 - cli/command/image/build: remove deprecated
IsArchiveutility. docker/cli#6737 - cli/command/image/build: remove deprecated
ResolveAndValidateContextPathutil. docker/cli#6737 - cli/command/image/build: remove deprecated
WriteTempDockerfileutil. docker/cli#6737
Fetched June 1, 2026
