This is the 1.22.3 release of Rancher Desktop, an open source desktop application to bring Kubernetes and container management to macOS, Windows, and Linux.
Installers
- Windows
- macOS x86_64
- macOS aarch64
- Linux install notes
Release Notes for 1.22.3
Rancher Desktop 1.22.3 is a security-focused patch release. We strongly recommend upgrading.
Security Fixes
Container escape mitigation (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500)
Three recent Linux kernel exploits — copy.fail (CVE-2026-31431) and the two dirtyfrag variants (CVE-2026-43284, CVE-2026-43500) — let unprivileged processes gain a page-cache write primitive and tamper with files outside their normal reach. Inside Rancher Desktop, that means an attacker with code execution in any container could escape that scope and modify the rest of the VM.
Each exploit needs a specific Linux kernel module loaded. Rancher Desktop now removes those modules, so the exploits have nothing to hook into.
Modules removed:
──────────┬──────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────
Module │Used for │CVE it enables
──────────┼──────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────
esp4 / │IPsec ESP (site-to-site VPN gateways, e.g. strongSwan, libreswan) │CVE-2026-43284 (dirtyfrag, XFRM ESP)
esp6 │ │
──────────┼──────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────
rxrpc │RxRPC protocol, used almost exclusively by AFS / kAFS (Andrew File System)│CVE-2026-43500 (dirtyfrag, AF_RXRPC)
──────────┼──────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────
algif_aead│Kernel AEAD crypto via AF_ALG sockets (offload to hardware accelerators) │CVE-2026-31431 (copy.fail)
──────────┴──────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────
What this means for you: unless you run an IPsec VPN endpoint or an AFS client, the removal is invisible to you.
On macOS and Linux, the rebuilt Alpine VM image omits the modules. (#10220, #10248)
On Windows, WSL2 provides kernel modules through a single overlay shared by every WSL distro running on the host, which means:
- When Rancher Desktop starts, it removes these modules for all running WSL distros, not just its own. Other distros will lose IPsec ESP, AFS, and AF_ALG until WSL itself restarts.
- When WSL restarts (e.g. wsl --shutdown followed by launching any distro), the upstream WSL kernel restores the modules.
- The next time Rancher Desktop starts, it removes them again.
This is an "apply-on-start" / "forget-on-stop" lifecycle: Rancher Desktop never persists changes to your WSL installation. (#10247)
The bundled Alpine VM image also picks up a newer kernel containing additional upstream security patches.
Bug Fixes
Bind mounts via the Docker --mount flag on Windows
In Rancher Desktop 1.22.2, docker run --mount type=bind,... on Windows could mount the wrong directory or fail to start the container. This release restores correct bind-mount behavior; the -v /path:/path shorthand stayed correct throughout. (#10252)
Release Notes for 1.22.2
Rancher Desktop 1.22.2 is a patch release fixing a critical bug on macOS (and maybe on Linux). It contains no further changes beyond the following 2 items:
Fixed data volume mount on macOS
Under certain conditions, the data volume failed to mount on macOS. In that case, all data was stored in a RAM disk, which is limited to the amount of memory allocated to the VM (usually 6GB). This resulted in early out-of-memory errors when building or pulling images.
When Rancher Desktop was restarted, all data from the current session was lost because it was never written to disk. Theoretically, this could also have happened on Linux, but it has only been reported in macOS (#9754 and #10133)
Upgrade trivy 0.68.2 → 0.70.0
This upgrade also includes an upgrade to trivy 0.70.0 because the 0.68.2 version is no longer available for download. There are no known issues with 0.68.2; it just is no longer accessible.
Release Notes for 1.22.1
The 1.22.1 release did not fix the bug it was supposed to fix and was replaced with Rancher Desktop 1.22.2.
Release Notes for 1.22.0
What's New
Select moby storage driver
Version 1.21.0 switched to the containerd-snapshotter storage driver by default. On Windows, this happened unconditionally (even on upgrades), which made existing images inaccessible.
Users can now choose between the classic and containerd-snapshotter storage drivers via rdctl:
rdctl set --container-engine.moby-storage-driver classic
rdctl set --container-engine.moby-storage-driver snapshotter
Rancher Desktop automatically selects the driver based on where your existing images are stored. See Migrating Images for instructions on moving images between storage drivers. Windows users affected by the 1.21.0 issue can switch back to the classic driver to regain access to their images. (#9732)
Docker 29 in the VM
Alpine Linux has been updated to version 3.23, which includes Docker 29. This fixes issues with docker inspect returning incomplete image metadata. (#9671, #9739)
Kubernetes Dashboard improvements
Pod log streaming now works in the Dashboard. This was broken since version 1.6.0. (#3212)
The Dashboard button now waits until the Steve API server accepts connections before becoming active. Previously, clicking the button too quickly after Kubernetes started would show a spinner that never resolved. (#8217)
The non-functional "Download KubeConfig" and "Kubectl Shell" buttons have been removed from the cluster dashboard. (#2208, #8151, #8757)
Docker Compose 5.0
Docker Compose has been updated to version 5.0. Key changes include:
- Compose can now be used as an SDK for third-party integrations
- The internal builder has been removed; builds are delegated to Docker Bake
- Hooks now run on restart
- New --wait option for the start command
Helm 4.0
Helm has been updated to version 4.0. See the Helm 4.0 release notes for details on the changes.
Diagnostics
Moby image store check
A new diagnostic reports when images exist in the inactive image store (classic vs. containerd-snapshotter), helping identify which images need migration. (#9733)
Windows: wsl-vpnkit detection
A new diagnostic warns when the wsl-vpnkit distribution is present, as it can cause networking issues with Rancher Desktop. (#9623)
Bug Fixes
macOS CA management with multiple keychains
Fixed a bug where certificates from multiple keychains were being written to the same file path, causing only the last keychain's certificates to be processed. (#9755)
K3s version channel labels not updating
Fixed an issue where version channel labels (e.g, stable, latest, v1.xx) were not removed from old versions when they moved to newer versions, causing multiple patch versions to appear in the recommended list. (#9709)
K3s image loading for older versions
Made the --all-platforms flag optional when loading K3s images, so older K3s versions (before 1.31) load images correctly. (#9708, #9710)
rdctl info works after upgrade
Fixed an issue where rdctl info failed with a BusyBox error for users who upgraded from version 1.19.3 or earlier, or restored an old snapshot. The 1.21.0 release notes mentioned a manual workaround; this is no longer needed. (#9546, #9554)
Containers page error handling
Fixed an "[object Object]" error that appeared on the Containers page when the backend became temporarily unavailable. (#9545, #9661)
Connectivity check uses HTTPS
The network connectivity diagnostic now uses an HTTPS HEAD request instead of HTTP GET, improving privacy by encrypting the request. (#9711)
Linux packaging fixes
Fixed an issue where the Debian package did not set the suid bit on chrome-sandbox, causing the application to fail to start on Debian and Ubuntu systems.
The virtualization support check now works correctly on Linux arm64 systems.
Extension fixes
Fixed several issues with Docker Desktop extensions:
- Uninstall and upgrade buttons on the Installed tab now work correctly
- Extension metadata and icons refresh properly after reinstalling an extension
- Extensions without containers no longer cause errors during uninstall
- The ddClient.extension object now includes the id and version fields as specified by the Docker Desktop Extension API
Updates to Bundled Utilities (from Rancher Desktop 1.21.0)
- docker 29.0.2 → 29.1.4
- docker-compose 2.40.3 → 5.0.1
- docker-credential-helpers 0.9.4 → 0.9.5
- helm 3.19.1 → 4.0.5
- nerdctl 2.2.0 → 2.2.1
- trivy 0.67.2 → 0.70.0
Unchanged:
- amazon-ecr-credential-helper 0.11.0
- docker-buildx 0.30.1
- kuberlr 0.6.1
- spin 3.5.1
- spin-shim 0.22.0
- spin-operator 0.6.1
Connect with the developers
- The issue queue
- Rancher Users Slack in the #rancher-desktop channel
Changelog
The full version changelog, from v1.21.0, can be found using GitHub compare and the details of the release can be found in the v1.22.0 milestone.
