29.4.3
For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
Bug fixes
-
CVE-2026-31431: Fix the 29.4.2 regression that broke 32-bit programs and i386 images. The broad socketcall(2) seccomp deny is replaced with targeted AppArmor (deny network alg) and SELinux (alg_socket) rules that block AF_ALG at the LSM layer, covering both socket(2) and socketcall(2) paths without disrupting legitimate 32-bit workloads. moby/moby#52537
On SELinux-based systems, the SELinux mitigation requires the daemon to be configured with
selinux-enabled: true(viadaemon.jsonor the--selinux-enabledCLI flag). This option is not enabled by default. -
Fix the default AppArmor profile not being updated on daemon restart, requiring a system reboot to pick up profile changes from daemon upgrades. moby/moby#52537