Version 7.3.2 2026-07-08
Unraid OS 7.3.2 is a security and bugfix release including Linux kernel 6.18.38, Docker VLAN networking fixes, storage and boot-pool fixes, virtualization UI fixes, Unraid API 4.35.1, and several base package updates.
Recommended for all users.
Upgrading
For step-by-step instructions, see Updating Unraid. Questions about your license?
Known issues
- No new release-specific known issues are noted. For issues inherited from prior releases, see the Unraid OS 7.3.1 release notes.
Notes
- This release includes security-related base package updates. Package-level CVE annotations are listed in Base distro updates.
Rolling back
- No new rollback limitations are noted for this release. Before rolling back, review the Unraid OS 7.3.1 release notes.
BREAKING CHANGES
- None.
Changes vs. Unraid OS 7.3.1
Security
- Security: Fixed a WebGUI
update.phppath-traversal command execution vulnerability, CVE-2026-3838. - Security: Includes base package security fixes with CVE coverage for multiple components; package-level CVE details are listed in Base distro updates.
Containers / Docker
- Fix: Docker VLAN auto-networks can fall back to the configured Docker gateway so containers keep outbound connectivity.
- Improvement: Improved Docker tab load performance by keeping synchronous I/O off the Docker tab render path, based on a community contribution from TSpader (thank you!)
Storage
- Fix: Boot pool replacement no longer leaves a stale missing mirror member in the affected replacement case.
- Fix: Removing a boot pool device no longer triggers the regression that could fail the operation.
- Fix: Formatting a pool device whose name overlaps with a boot device no longer triggers a false positive invalid-target assertion.
- Fix: Dashboard cache pool size and usage reporting is corrected for Btrfs RAID1 pools.
WebGUI / System
- New: Added monitor status output for panel indication plugins that use LED and LCD state.
- Fix: Shutdown and reboot syslog saving now creates
/boot/logsbefore writing syslog files. - Fix: System Devices controller listings no longer include unrelated devices in affected cases.
- Fix: Internal Boot with Flash Licensing better handles transient USB license device resets.
Networking / Hardware
- Fix: Avahi/mDNS update can start the daemon again after transient network loss.
- Fix: Intel GPU PCI speed reporting is corrected.
- Improvement: Intel iGPU SR-IOV controls are shown only when the supporting plugin is installed.
Virtualization
- Fix: VM CPU usage no longer reports high usage caused by unrelated host tasks.
- Fix: VM context menu positioning is corrected.
- Improvement: VM Network Source dropdown entries are sorted and the control is wider for easier scanning.
- Fix: Removed an obsolete VM reboot banner message when VM PCI options are enabled.
Unraid API
- Update Unraid API to dynamix.unraid.net 4.35.1.
Linux kernel
- Linux kernel: update to 6.18.38-Unraid. CONFIG_USB_AUTOSUSPEND_DELAY=-1
Base distro updates
Added packages (3)
- libcbor: version 0.14.0
- libfido2: version 1.17.0
- libmaxminddb: version 1.13.3
Updated packages (73)
- aaa_libraries: version 15.1-50 -> 15.1-51
- acl: version 2.3.2 -> 2.4.0
- at-spi2-core: version 2.60.4 -> 2.60.5
- attr: version 2.5.2 -> 2.6.0
- bash: version 5.3.009-2 -> 5.3.015-2
- bash-completion: version 2.17.0 -> 2.18.0
- bind: version 9.20.23 -> 9.20.24-2 (security fix noted; no CVE IDs listed)
- ca-certificates: version 20260413 -> 20260616
- cifs-utils: version 7.5 -> 7.6
- curl: version 8.20.0 -> 8.21.0 (NVD: CVE-2026-9079, CVE-2026-9080, CVE-2026-9545, CVE-2026-9546, CVE-2026-9547)
- dnsmasq: version 2.92rel2 -> 2.93 (CVE-2026-2291)
- docker: version 29.5.2 -> 29.5.3
- dynamix.unraid.net: version 4.34.0 -> 4.35.1
- elogind: version 255.25 -> 255.27
- etc: version 15.1-16 -> 15.1-17
- exfatprogs: version 1.3.2 -> 1.4.2
- file: version 5.47-2 -> 5.48
- fontconfig: version 2.18.0-2 -> 2.18.1
- gdk-pixbuf2: version 2.44.6 -> 2.44.7
- git: version 2.54.0 -> 2.55.0
- glib2: version 2.88.1 -> 2.88.2
- graphite2: version 1.3.14-3 -> 1.3.15-2
- harfbuzz: version 14.2.0 -> 14.2.1
- iproute2: version 7.0.0 -> 7.1.0-2
- jansson: version 2.15.0 -> 2.15.1
- json-c: version 0.18_20240915 -> 0.19
- kbd: version 2.9.0 -> 2.10.0
- krb5: version 1.22.2-2 -> 1.22.2-3
- less: version 702 -> 704
- libarchive: version 3.8.7 -> 3.8.8 (security fix noted; no CVE IDs listed)
- libdrm: version 2.4.133 -> 2.4.134
- libevent: version 2.1.12-4 -> 2.1.13 (security fix noted; no CVE IDs listed)
- libffi: version 3.5.2 -> 3.6.0
- libidn: version 1.43 -> 1.44 (security fix noted; no CVE IDs listed)
- libjpeg-turbo: version 3.1.4.1 -> 3.2.0
- libnvme: version 1.16.1 -> 1.16.2
- libpsl: version 0.21.5 -> 0.22.0
- libseccomp: version 2.6.0 -> 2.6.1 (security fix noted; no CVE IDs listed)
- libtiff: version 4.7.1 -> 4.7.2
- liburing: version 2.14 -> 2.15
- libvirt-php: version 0.5.8-8.4.21 -> 0.5.8-8.4.23
- libxkbcommon: version 1.13.1 -> 1.13.2
- lmdb: version 0.9.35 -> 1.0.0
- lsof: version 4.99.6 -> 4.99.7
- mesa: version 26.1.1 -> 26.1.4
- nano: version 9.0 -> 9.1
- net-tools: version 20181103_0eebece-3 -> 20181103_0eebece-5 (CVE-2025-46836)
- nghttp3: version 1.15.0 -> 1.17.0
- nginx: version 1.30.1-1 -> 1.30.3-1 (NVD: CVE-2026-9256, CVE-2026-42055, CVE-2026-48142)
- ngtcp2: version 1.22.1 -> 1.24.0
- noto-fonts-ttf: version 2026.05.01 -> 2026.07.01
- openssh: version 10.3p1 -> 10.4p1 (security fix noted; no CVE IDs listed)
- openssl: version 3.5.6-2 -> 3.5.7 (CVE-2026-34182, CVE-2026-34183, CVE-2026-42764, CVE-2026-45447; NVD: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446)
- pango: version 1.57.1 -> 1.58.0
- php: version 8.4.21-1 -> 8.4.23-1 (CVE-2026-14355)
- pkgtools: version 15.1-31 -> 15.1-32
- qemu: version 10.2.2-1 -> 10.2.3-1
- rsync: version 3.4.3 -> 3.4.4
- samba: version 4.22.8 -> 4.22.10 (CVE-2026-1933, CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408, CVE-2026-4480)
- shadow: version 4.19.4-2 -> 4.19.4-6 (security fix noted; no CVE IDs listed)
- shared-mime-info: version 2.4-2 -> 2.5.1
- spirv-llvm-translator: version 22.1.2 -> 22.1.4
- sqlite: version 3.53.1 -> 3.53.3 (NVD: CVE-2026-11822, CVE-2026-11824)
- sysvinit-scripts: version 15.1-36 -> 15.1-38
- tree: version 2.3.1 -> 2.3.2
- util-linux: version 2.42.1 -> 2.42.2
- wireless-regdb: version 2026.03.18 -> 2026.05.30
- xclock: version 1.1.1 -> 1.2.0
- xinit: version 1.4.4 -> 1.4.4-2
- xkeyboard-config: version 2.47 -> 2.48
- xlsclients: version 1.1.5 -> 1.1.6
- xorg-server: version 21.1.22-3 -> 21.1.23 (security fix noted; no CVE IDs listed)
- zfs: version 2.4.2 -> 2.4.3