releases.shpreview
Docker/Engine Release Notes/v29.5.1

v29.5.1

May 18, 2026Engine Release NotesView original ↗

Security

This release includes fixes for multiple security vulnerabilities affecting Docker Engine.

  • CVE-2026-41567 Fix a vulnerability in docker cp where archive decompression binaries (e.g. xz, unpigz) were resolved via PATH inside the container filesystem while running as host root, allowing a malicious container to execute arbitrary binaries with host root privileges. GHSA-x86f-5xw2-fm2r
  • CVE-2026-41568 Fix a TOCTOU vulnerability in docker cp that allowed a container process to create files or directories at arbitrary locations on the host filesystem. GHSA-vp62-88p7-qqf5
  • CVE-2026-42306 Fix a TOCTOU vulnerability in docker cp that allowed a container process to redirect a bind mount to an arbitrary location on the host filesystem. GHSA-rg2x-37c3-w2rh

Networking

  • Fix UDP conntrack entries not being deleted when not bound to a specific IP address. moby/moby#52640

Fetched June 1, 2026

v29.5.1 — Engine Release Notes — releases.sh