Docker Desktop grpcfuse Kernel Module Out-of-Bounds Read Vulnerability (CVE-2026-2664) Patched in Version 4.62.0
Docker has released a fix for CVE-2026-2664, an out-of-bounds read information disclosure vulnerability in the grpcfuse kernel module of Docker Desktop, which could be chained with other flaws for kernel-level code execution.
Docker has patched a high-severity information disclosure vulnerability in Docker Desktop's grpcfuse kernel module, tracked as CVE-2026-2664. The flaw, disclosed by the Zero Day Initiative (ZDI) on February 25, 2026, allows local attackers with low privileges to read past the end of an allocated buffer via crafted procfs arguments. Docker addressed the issue in version 4.62.0, urging all users to update immediately.
The vulnerability resides in the handling of procfs arguments within the grpcfuse kernel module. According to the ZDI advisory (ZDI-26-125), the issue stems from a lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This out-of-bounds read can leak sensitive kernel memory to an attacker who already has low-privileged code execution on the target system.
While the vulnerability itself only enables information disclosure, the ZDI warns that an attacker could leverage it in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in kernel context. The CVSS score for CVE-2026-2664 is 6.5, with a vector of AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, reflecting the low attack complexity and potential for significant information leakage across security boundaries.
The vulnerability was discovered and reported by Pumpkin (@u1f383) from the DEVCORE Research Team, who submitted the report to Docker on December 18, 2025. Docker acknowledged the report and worked with the researcher to develop a fix, which was released in Docker Desktop version 4.62.0. The coordinated public disclosure occurred on February 25, 2026, the same day the advisory was updated.
Docker Desktop is widely used by developers and organizations for container management on Windows, macOS, and Linux. The grpcfuse kernel module is a component that enables FUSE (Filesystem in Userspace) operations via gRPC, allowing Docker Desktop to mount filesystems from the host into containers. The vulnerability affects all versions prior to 4.62.0, and users are strongly advised to upgrade to the latest version to mitigate the risk.
This disclosure follows a pattern of kernel-level vulnerabilities in containerization tools that could be exploited for privilege escalation. While no active exploitation has been reported for CVE-2026-2664, the availability of detailed technical information in the advisory could enable attackers to develop exploits. Docker's release notes for version 4.62.0 provide additional details on the fix.
The discovery by DEVCORE, a prominent Taiwanese security research team known for winning Pwn2Own Berlin 2026, underscores the ongoing scrutiny of container runtime security. As Docker Desktop continues to be a critical tool for millions of developers, vulnerabilities in its kernel components highlight the importance of keeping containerization software up to date to prevent potential system compromises.