rancher-sandbox/rancher-desktop v1.22.3

Rancher Desktop 1.22.3

on GitHub

This is the 1.22.3 release of Rancher Desktop, an open source desktop application to bring Kubernetes and container management to macOS, Windows, and Linux.

Installers

• Windows
• macOS x86_64
• macOS aarch64
• Linux install notes

Release Notes for 1.22.3

Rancher Desktop 1.22.3 is a security-focused patch release. We strongly recommend upgrading.

Security Fixes

Container escape mitigation (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500)

Three recent Linux kernel exploits — copy.fail (CVE-2026-31431) and the two dirtyfrag variants (CVE-2026-43284, CVE-2026-43500) — let unprivileged processes gain a page-cache write primitive and tamper with files outside their normal reach. Inside Rancher Desktop, that means an attacker with code execution in any container could escape that scope and modify the rest of the VM.

Each exploit needs a specific Linux kernel module loaded. Rancher Desktop now removes those modules, so the exploits have nothing to hook into.

Modules removed:

What this means for you: unless you run an IPsec VPN endpoint or an AFS client, the removal is invisible to you.

On macOS and Linux, the rebuilt Alpine VM image omits the modules. (#10220, #10248)

On Windows, WSL2 provides kernel modules through a single overlay shared by every WSL distro running on the host, which means:

• When Rancher Desktop starts, it removes these modules for all running WSL distros, not just its own. Other distros will lose IPsec ESP, AFS, and AF_ALG until WSL itself restarts.
• When WSL restarts (e.g. wsl --shutdown followed by launching any distro), the upstream WSL kernel restores the modules.
• The next time Rancher Desktop starts, it removes them again.

This is an "apply-on-start" / "forget-on-stop" lifecycle: Rancher Desktop never persists changes to your WSL installation. (#10247)

The bundled Alpine VM image also picks up a newer kernel containing additional upstream security patches.

Bug Fixes

Bind mounts via the Docker --mount flag on Windows

In Rancher Desktop 1.22.2, docker run --mount type=bind,... on Windows could mount the wrong directory or fail to start the container. This release restores correct bind-mount behavior; the -v /path:/path shorthand stayed correct throughout. (#10252)

Release Notes for 1.22.2

Rancher Desktop 1.22.2 is a patch release fixing a critical bug on macOS (and maybe on Linux). It contains no further changes beyond the following 2 items:

Fixed data volume mount on macOS

Under certain conditions, the data volume failed to mount on macOS. In that case, all data was stored in a RAM disk, which is limited to the amount of memory allocated to the VM (usually 6GB). This resulted in early out-of-memory errors when building or pulling images.

When Rancher Desktop was restarted, all data from the current session was lost because it was never written to disk. Theoretically, this could also have happened on Linux, but it has only been reported in macOS (#9754 and #10133)

Upgrade trivy 0.68.2 → 0.70.0

This upgrade also includes an upgrade to trivy 0.70.0 because the 0.68.2 version is no longer available for download. There are no known issues with 0.68.2; it just is no longer accessible.

Release Notes for 1.22.1

The 1.22.1 release did not fix the bug it was supposed to fix and was replaced with Rancher Desktop 1.22.2.

Release Notes for 1.22.0

What's New

Select moby storage driver

Version 1.21.0 switched to the containerd-snapshotter storage driver by default. On Windows, this happened unconditionally (even on upgrades), which made existing images inaccessible.

Users can now choose between the classic and containerd-snapshotter storage drivers via rdctl:

rdctl set --container-engine.moby-storage-driver classic
rdctl set --container-engine.moby-storage-driver snapshotter

Rancher Desktop automatically selects the driver based on where your existing images are stored. See Migrating Images for instructions on moving images between storage drivers. Windows users affected by the 1.21.0 issue can switch back to the classic driver to regain access to their images. (#9732)

Docker 29 in the VM

Alpine Linux has been updated to version 3.23, which includes Docker 29. This fixes issues with docker inspect returning incomplete image metadata. (#9671, #9739)

Kubernetes Dashboard improvements

Pod log streaming now works in the Dashboard. This was broken since version 1.6.0. (#3212)

The Dashboard button now waits until the Steve API server accepts connections before becoming active. Previously, clicking the button too quickly after Kubernetes started would show a spinner that never resolved. (#8217)

The non-functional "Download KubeConfig" and "Kubectl Shell" buttons have been removed from the cluster dashboard. (#2208, #8151, #8757)

Docker Compose 5.0

Docker Compose has been updated to version 5.0. Key changes include:

• Compose can now be used as an SDK for third-party integrations
• The internal builder has been removed; builds are delegated to Docker Bake
• Hooks now run on restart
• New --wait option for the start command

Helm 4.0

Helm has been updated to version 4.0. See the Helm 4.0 release notes for details on the changes.

Diagnostics

Moby image store check

A new diagnostic reports when images exist in the inactive image store (classic vs. containerd-snapshotter), helping identify which images need migration. (#9733)

Windows: wsl-vpnkit detection

A new diagnostic warns when the wsl-vpnkit distribution is present, as it can cause networking issues with Rancher Desktop. (#9623)

Bug Fixes

macOS CA management with multiple keychains

Fixed a bug where certificates from multiple keychains were being written to the same file path, causing only the last keychain's certificates to be processed. (#9755)

K3s version channel labels not updating

Fixed an issue where version channel labels (e.g, stable, latest, v1.xx) were not removed from old versions when they moved to newer versions, causing multiple patch versions to appear in the recommended list. (#9709)

K3s image loading for older versions

Made the --all-platforms flag optional when loading K3s images, so older K3s versions (before 1.31) load images correctly. (#9708, #9710)

rdctl info works after upgrade

Fixed an issue where rdctl info failed with a BusyBox error for users who upgraded from version 1.19.3 or earlier, or restored an old snapshot. The 1.21.0 release notes mentioned a manual workaround; this is no longer needed. (#9546, #9554)

Containers page error handling

Fixed an "[object Object]" error that appeared on the Containers page when the backend became temporarily unavailable. (#9545, #9661)

Connectivity check uses HTTPS

The network connectivity diagnostic now uses an HTTPS HEAD request instead of HTTP GET, improving privacy by encrypting the request. (#9711)

Linux packaging fixes

Fixed an issue where the Debian package did not set the suid bit on chrome-sandbox, causing the application to fail to start on Debian and Ubuntu systems.

The virtualization support check now works correctly on Linux arm64 systems.

Extension fixes

Fixed several issues with Docker Desktop extensions:

• Uninstall and upgrade buttons on the Installed tab now work correctly
• Extension metadata and icons refresh properly after reinstalling an extension
• Extensions without containers no longer cause errors during uninstall
• The ddClient.extension object now includes the id and version fields as specified by the Docker Desktop Extension API

Updates to Bundled Utilities (from Rancher Desktop 1.21.0)

• docker 29.0.2 → 29.1.4
• docker-compose 2.40.3 → 5.0.1
• docker-credential-helpers 0.9.4 → 0.9.5
• helm 3.19.1 → 4.0.5
• nerdctl 2.2.0 → 2.2.1
• trivy 0.67.2 → 0.70.0

Unchanged:

• amazon-ecr-credential-helper 0.11.0
• docker-buildx 0.30.1
• kuberlr 0.6.1
• spin 3.5.1
• spin-shim 0.22.0
• spin-operator 0.6.1

Connect with the developers

• The issue queue

• Rancher Users Slack in the #rancher-desktop channel

Changelog

The full version changelog, from v1.21.0, can be found using GitHub compare and the details of the release can be found in the v1.22.0 milestone.