CVE-2026-8936

Vulnerability

A VM panic vulnerability exists in the grpcfuse kernel module within Docker Desktop. This issue is triggered when a container creates deeply nested directories on a bind-mounted host folder and subsequently causes a dentry invalidation event, leading to unbounded recursion. This affects versions prior to Docker Desktop 4.76.0.

Exploitation

An attacker with the ability to run containers on a Docker Desktop instance can exploit this vulnerability. The attacker needs to create a container that binds to a host folder and then programmatically create a very deep nesting of directories within that bind mount. This action, when combined with a dentry invalidation event, triggers the unbounded recursion.

Impact

Successful exploitation of this vulnerability results in a VM panic, causing a denial of service for the Docker Desktop environment. This effectively halts all container operations and requires a restart of the Docker Desktop application.

Mitigation

This vulnerability has been fixed in Docker Desktop version 4.76.0, released on June 1, 2026 [1]. Users are advised to update to this version or later to resolve the issue. No workarounds are available for older versions.