CVE-2026-28400: Docker Desktop for Mac Model Runner Flaw Enables Local DoS Attacks
A high-severity denial-of-service vulnerability in Docker Desktop for Mac's Model Runner component allows local attackers with low-privileged guest code execution to crash the host system.
Docker has patched a high-severity denial-of-service vulnerability in Docker Desktop for Mac's Docker Model Runner component, tracked as CVE-2026-28400. The flaw, disclosed by Trend Micro's Nitesh Surana through the Zero Day Initiative (ZDI-26-150), exposes a dangerous function that can be abused by a local attacker to crash the system.
The vulnerability resides in the Docker Model Runner, a component introduced to manage and run AI/ML models within Docker Desktop. The issue stems from the exposure of a dangerous function that, when triggered by an attacker with low-privileged code execution on the guest system, can cause a denial-of-service condition. The attack requires local access and the ability to execute code inside a container or VM, but does not require any elevated privileges on the guest.
Docker has released a security update to address the flaw, with details available in a GitHub security advisory for the model-runner repository. Users are strongly advised to update Docker Desktop for Mac to the latest version to mitigate the risk. The advisory notes that the vulnerability was reported to Docker on November 5, 2025, and the coordinated public disclosure occurred on March 3, 2026.
The vulnerability carries a CVSS score of 7.3 (High), with the vector string AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H. This indicates a local attack with low complexity and low privileges required, no user interaction, and a scope change that allows the attack to impact resources beyond the original security scope. The primary impact is on availability, with a high severity, though there is also a low impact on integrity.
While the vulnerability does not allow for data theft or remote code execution, a successful denial-of-service attack can disrupt critical containerized workloads and development environments. For organizations relying on Docker Desktop for Mac in CI/CD pipelines or production-adjacent development, this flaw poses a significant operational risk.
This disclosure follows a broader trend of vulnerabilities emerging in AI/ML infrastructure components, as vendors rapidly integrate model runners and inference engines into their products. The Docker Model Runner, being a relatively new addition, highlights the security challenges of extending container platforms with AI capabilities. Users should prioritize applying the patch and review their exposure to local attacks on Docker Desktop systems.