23.0.18

Release date	Name	Upstream release
2025-APR-22	MCR 23.0.18	Moby 23.0.18 and Docker CLI 23.0.18

Changelog

MCR 23.0.18 comprises the Moby 23.0.18 upstream release.

Changes specific to MCR

• MCR contains the following component updates:

  • Fipster (Go runtime) go1.23.8-m1

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

What is new

The MCR 23.0.18 patch release focuses on the delivery of CVE and bug fixes.

Security

golang.org/x/net/http/httpproxy

• Fix CVE-2025-22870: Proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts.

openssl

• Fix CVE-2024-13176: Adds a constant-time implementation of ECDSA, to mitigate a potential side-channel vulnerability.

• Fix CVE-2024-9143: Adds additional checking of elliptic curve parameters.

• Fix CVE-2024-5535: Adds handling a situation when calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

runc

• Follow up on fix CVE-2024-45310: Handle all possible os.MkdirAll cases to handle some regressions.

containerd

• Fix GHSA-265r-hfxg-fhmg: Fix integer overflow in User ID handling.

Bug fixes

containerd

• containerd/containerd#11319: Fix fatal map concurrency error in httpstream.

• containerd/containerd#10764: Fix the race condition during GC of snapshots when client retries.

• containerd/containerd#11359: Fix console TTY leak in runc shim.

• containerd/containerd#11100: Fix panic due to nil dereference cgroups v2.

runc

• opencontainers/runc#4417: Fix some certain situations (a system with lots of mounts or racing mounts) we could accidentally end up leaking mounts from the container into the host.

• opencontainers/runc#4444: The fallback logic for O_TMPFILE clones of /proc/self/exe had a minor bug that would cause us to miss non-noexec directories and thus fail to start containers on some systems.

• opencontainers/runc#4294 opencontainers/runc#4452: Sometimes the cloned /proc/self/exe file descriptor could be placed in a way that it would get clobbered by the Go runtime. We had a fix for this already but it turns out it could still break in rare circumstances, but it has now been fixed.

GitHub milestones

The GitHub milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.18 release:

• moby/moby, 23.0.18 milestone

• docker/cli, 23.0.18 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.18 is presented in the table below:

Component	Version
Moby	23.0.18
Docker CLI	23.0.18
containerd	1.6.38
runc	v1.2.5
cri-dockerd	0.3.15
buildx	0.12.0m (4932eecc)
Fipster (Go runtime)	go1.23.8m1
buildkit	0.10.7-m1
rootlesskit	1.1.0

Known issues

Known issues that apply to Moby 23.0.18 and thus also to MCR 23.0.18 include:

• moby/moby#47728 The DNS records for containers on a node that has restarted may not be resolvable by containers on other nodes on the same overlay network. This may also occur without a daemon restart, if the underlay network is experiencing packet loss at the time the container is started. Only recently uncovered, this has been an issue since the advent of the NetworkDB moby component.