29.4.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.4.2 milestone
• moby/moby, 29.4.2 milestone

Security

This release includes hardening for CVE-2026-31431.

• Block AF_ALG sockets and the socketcall(2) multiplexer in the default seccomp profile to prevent in-container privilege escalation via the kernel crypto API ("Copy Fail"). moby/moby#52501

Known issues

The hardening can break 32-bit programs and i386 images, including SteamCMD and some Wine-based workloads. moby/moby#52506

Workaround

If you need a workaround, use the seccomp/v0.2.1 profile from moby/profiles.
Make sure you use a kernel that includes the fix for CVE-2026-31431.

This profile unblocks socketcall while keeping AF_ALG blocked for socket.

Download the seccomp/v0.2.1 profile:

$ curl -fsSL https://raw.githubusercontent.com/moby/profiles/refs/tags/seccomp/v0.2.1/seccomp/default.json \
  -o /etc/docker/seccomp-profile-v0.2.1.json

Use one of these options. You don't need both.

1. To use the profile for a specific container when you control the docker run command, use --security-opt:

$ docker run --security-opt seccomp=<path> ...

2. To use the profile as the default for containers created by the daemon, add seccomp-profile to your daemon.json:

{
  "seccomp-profile": "/etc/docker/seccomp-profile-v0.2.1.json"
}