Sourced fromgithub.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION]This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary/proc files.

Packaging updates

• Update runc tov1.3.3.moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt).moby/moby#51162
• Update Go runtime to1.24.9.moby/moby#51387,docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecateDefaultDockerfileName,DetectArchiveReader,WriteTempDockerfile,ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release.docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility.docker/cli#6560
• Go-SDK: opts: deprecateValidateMACAddress.docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete().docker/cli#6560

• 89c5e8f Merge pull request#51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request#51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request#51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request#51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request#51387 from thaJeztah/28.x_bump_go
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)