Unraid OS 7.2.5 Now Available

Unraid 7.2.5 is out now. This is a recommended update for everyone as it addresses WebGUI security issues, brings Docker up to version 29 with important runc CVE fixes, and patches a broad set of vulnerabilities across curl, GnuTLS, OpenSSL, libpng, xorg-server, the linux kernel, and more.

WebGUI Security Fixes

This release patches three WebGUI security issues that required an active logged-in session to exploit. 

This release also upgrades the Linux kernel to 6.12.85-Unraid, patching two vulnerabilities. CVE-2026-31431 is the Copy Fail local privilege escalation vulnerability, which allows a local attacker to gain elevated privileges. The update also includes the fix for CVE-2026-31430, an X.509 out-of-bounds access issue triggered by specially crafted certificates.

Docker Updated to Version 29

Docker has been updated from 27.5.1 to 29.3.1. The most significant security improvement here is a set of runc fixes patching CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881.

Breaking Change: Container MAC Addresses

Docker Engine 28 changed how MAC addresses are allocated for bridge and macvlan network endpoints. Containers may now receive a new dynamically generated MAC address each time they are created. 

Important: If any of your containers rely on a stable MAC for DHCP reservations, router or firewall rules, switch ACLs, or monitoring, you need to act shortly after upgrading. 

New: Fixed MAC Address Field in Docker Templates

Unraid 7.2.5 adds an optional MAC Address field to Docker templates. A value set here is preserved across Docker restarts, full host reboots, container recreates, and delete/re-add cycles — for bridge, custom macvlan/ipvlan, WireGuard, and user-defined Docker networks.

Existing templates that used --mac-address= in Extra Parameters are automatically migrated to the new field where it is safe to do so. Templates where networking is still fully owned by Extra Parameters are left unchanged.

Advanced View: Live Container MAC Addresses

Docker Advanced View now displays each running container's actual MAC address alongside the existing network and IP details. This makes it straightforward to reconcile what your router or firewall has versus what Docker is currently using.

Tailscale Serve/Funnel Fix

Stale Tailscale Serve/Funnel state is now cleared when a Docker container restarts, then reapplied based only on the mode currently configured in the Docker template. Previously, a container changed from Funnel or Serve to No could keep the old exposure active after a restart — that's now fixed!

Storage Fixes

Mover Empty-Disk Action

The mover empty-disk action is now correctly available on systems with user shares enabled but no pool devices assigned. The action is still appropriately disabled during parity, mover, and BTRFS operations — this just restores it in configurations where it was incorrectly missing.

Partition Layout Preservation

When an array disk with a non-standard partition layout (such as a legacy sector-63 alignment) is unassigned and reassigned, Unraid no longer rewrites the partition at sector 64. Previously this would make the existing filesystem unmountable. The existing layout is now preserved.

Other Fixes

Login Page

Custom case-model images on the login page are restored. This was a known regression in 7.2.4 and is now resolved.

Unraid API

An API startup failure where the service could time out while bootstrapping and enter a restart loop is fixed. Registration-state refresh after license updates is also improved, so the WebGUI reflects the current license state more reliably.

Package and CVE Updates

This release includes security and stability updates to a wide range of base packages. A full list of resolved CVEs is in the release notes; the highlights are below.

Also updated: bind, libarchive, libxml2, libxslt, zlib. Added: ngtcp2 1.22.1.