Docker and Docker Desktop Flaws Expose Systems to Security Bypass Risks
German authorities issued advisories for multiple vulnerabilities in Docker and a separate Docker Desktop flaw that allows security measures to be bypassed, highlighting security risks across both the container engine ecosystem and the desktop management platform. The notices identify Docker broadly as affected in one case, while the other specifically warns that Docker Desktop contains a vulnerability that could let attackers circumvent intended protections.
The paired advisories indicate that organizations using Docker in development or production environments may face exposure from both general software weaknesses and a more targeted bypass issue in Docker Desktop. Security teams should review affected versions, assess where Docker and Docker Desktop are deployed, and prioritize vendor guidance and patching to reduce the risk of unauthorized access or weakened container security controls.
Timeline
Apr 24, 2026
dCERT discloses Docker Desktop privilege escalation vulnerability
dCERT published Advisory 2026-1237 for Docker Desktop describing a vulnerability that allows privilege escalation. No additional technical details or remediation information are provided in the reference content.
Apr 8, 2026
dCERT warns of Docker Desktop security bypass vulnerability
dCERT published Advisory 2026-0973 for Docker Desktop describing a vulnerability that allows bypassing security measures. The reference does not include additional remediation or impact details.
Mar 26, 2026
dCERT publishes advisory on multiple Docker vulnerabilities
dCERT issued Advisory 2026-0851 covering multiple vulnerabilities affecting Docker. No further technical details are provided in the reference content.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Docker Desktop for Windows 0-Days Enable Host Privilege Escalation From Containers
Zero Day Initiative disclosed two **Docker Desktop for Windows** privilege-escalation flaws after Docker rejected the reports as outside its threat model. The first issue, tracked as **ZDI-26-258** / `ZDI-CAN-27229`, affects the `extension-manager` component and is caused by an exposed dangerous function in Docker Extensions. ZDI said an attacker who can already execute high-privileged code inside a container could exploit the flaw to run arbitrary code on the Windows host as **SYSTEM**. The advisory lists no assigned CVE and a **CVSS 8.2** score, and credits **Nitesh Surana of TrendAI Research** with the discovery. A second advisory, **ZDI-26-260** / `ZDI-CAN-27571`, describes an uncontrolled search path issue in the Docker Desktop `system/editor` endpoint caused by execution of a program from an unsecured location. ZDI said exploitation requires an attacker to first escape the container and execute high-privileged code inside the Docker **Hyper-V VM**, after which arbitrary code can be run on the host in the context of the current user; the flaw carries a **CVSS 7.5** score. The issue was reported to Docker in July 2025 by **Nitesh Surana and Nelson William Gamazo Sanchez of TrendAI Research**, but was later published as a 0-day after the vendor declined to address it because it depended on prior privileged access.
3 weeks ago
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
4 weeks ago
Critical runC Vulnerabilities Enable Full Container Escape and Host Compromise
Security researchers have disclosed three critical vulnerabilities in the runC container runtime, which is widely used in platforms such as Docker and Kubernetes. The flaws, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, arise from logic and race-condition errors in runC's handling of temporary bind mounts, symbolic links, and certain write operations. Attackers can exploit these weaknesses to break container isolation, potentially gaining write access to sensitive host system files and kernel interfaces such as `/proc/sys/kernel/core_pattern` or `/proc/sysrq-trigger`, leading to full container escapes and even host-level compromise. The vulnerabilities allow attackers to abuse masked paths, console bind-mounts, and redirected writes, bypassing standard hardening and isolation controls. Exploitation requires either custom mount configurations or the use of untrusted container images, but the risk is significant for orchestrated environments like Docker and Kubernetes. Security advisories from both the runC project and the U.S. National Vulnerability Database urge immediate updates to patched versions or the application of provided patches to mitigate these threats. The vulnerabilities highlight the importance of robust container runtime security and the potential impact of logic flaws in core infrastructure components.
1 months ago