885abf4cf8
This is the sixth patch release of the 1.3.z series of runc. Among some performance improvements and bugfixes, it includes a fix for a low-severity vulnerability ([CVE-2026-41579]) and users are encouraged to update. As it was a low-severity vulnerability and it was reported by multiple people, we decided to release it publicly with NO EMBARGO. Security This release includes a fix for the following low-severity security issue: - CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in CVE-2025-31133, CVE-2025-52565, CVE-2025-31133 and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases. Fixed - A regression in runc v1.3.0 which can result in a stuck runc exec or runc run when the container process runs for a short time. - Various integration test improvements. Changed - When masking directories with maskPaths, runc will now re-use a single tmpfs instance (which is not writable) to reduce the number tmpfs superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly). [CVE-2026-41579]: https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47 full diff: https://github.com/opencontainers/runc/compare/v1.3.5...v1.3.6 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Moby Project
Moby is an open-source project created by Docker to enable and accelerate software containerization.
It provides a "Lego set" of toolkit components, the framework for assembling them into custom container-based systems, and a place for all container enthusiasts and professionals to experiment and exchange ideas. Components include container build tools, a container registry, orchestration tools, a runtime and more, and these can be used as building blocks in conjunction with other tools and projects.
Principles
Moby is an open project guided by strong principles, aiming to be modular, flexible and without too strong an opinion on user experience. It is open to the community to help set its direction.
- Modular: the project includes lots of components that have well-defined functions and APIs that work together.
- Batteries included but swappable: Moby includes enough components to build fully featured container systems, but its modular architecture ensures that most of the components can be swapped by different implementations.
- Usable security: Moby provides secure defaults without compromising usability.
- Developer focused: The APIs are intended to be functional and useful to build powerful tools. They are not necessarily intended as end user tools but as components aimed at developers. Documentation and UX is aimed at developers not end users.
Audience
The Moby Project is intended for engineers, integrators and enthusiasts looking to modify, hack, fix, experiment, invent and build systems based on containers. It is not for people looking for a commercially supported system, but for people who want to work and learn with open source code.
Relationship with Docker
The components and tools in the Moby Project are initially the open source components that Docker and the community have built for the Docker Project. New projects can be added if they fit with the community goals. Docker is committed to using Moby as the upstream for the Docker Product. However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.
The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful. The releases are supported by the maintainers, community and users, on a best efforts basis only. For customers who want enterprise or commercial support, Docker Desktop and Mirantis Container Runtime are the appropriate products for these use cases.
Go modules
Important
Starting with Docker v29 (released November 2025), the Go module
github.com/docker/dockeris deprecated and won't be updated.
The supported public Go modules are:
| Module | Description |
|---|---|
github.com/moby/moby/client |
Go client for the Docker Engine API |
github.com/moby/moby/api |
API types shared between client and server |
The root module github.com/moby/moby/v2 is the codebase for building container engines based on Moby (such as Docker Engine).
It produces binaries only - it is not intended to be imported as a Go library and has no API stability guarantees.
Release tags
Docker Engine releases are tagged with a docker- prefix (e.g. docker-v29.0.0 for Docker Engine 29.0.0).
These tags are only used to build the Docker Engine binary from the root module - they must not be consumed via go get.
The client and api modules are versioned independently with their own tags (e.g. client/v1.x.x, api/v1.x.x).
Migrating from github.com/docker/docker
Replace the old import paths:
- import "github.com/docker/docker/client"
+ import "github.com/moby/moby/client"
- import "github.com/docker/docker/api/types"
+ import "github.com/moby/moby/api/types"
Note that v29 includes many breaking API changes (option structs, renamed methods, moved types). See the v29.0.0 release notes for the full list of Go SDK changes.
Legal
Brought to you courtesy of our legal counsel. For more context, please see the NOTICE document in this repo.
Use and transfer of Moby may be subject to certain restrictions by the United States and other governments.
It is your responsibility to ensure that your use and/or transfer does not violate applicable laws.
For more information, please see https://www.bis.doc.gov
Licensing
Moby is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.