Docker Desktop Local Privilege Escalation Flaw (CVE-2025-15558) Patched After ZDI Disclosure
A local privilege escalation vulnerability in Docker Desktop's plugins directory handling, tracked as CVE-2025-15558, allows attackers with low-privileged code execution to gain elevated access; Docker has released a fix.
Docker has released a security update to address a local privilege escalation vulnerability in Docker Desktop, tracked as CVE-2025-15558 and disclosed via the Zero Day Initiative (ZDI-26-152). The flaw, reported by Nitesh Surana of Trend Research, stems from an uncontrolled search path element in the handling of the plugins directory path. An attacker who already has the ability to execute low-privileged code on a target system can exploit this vulnerability to escalate privileges and run arbitrary code in the context of the target user.
The vulnerability was reported to Docker on October 16, 2025, and the coordinated public advisory was released on March 6, 2026. Docker has issued an update to correct the issue, with details available in a GitHub security advisory (GHSA-p436-gjf2-799p). The flaw carries a CVSS score of 7.8, indicating high severity, with the attack vector being local and requiring low privileges and no user interaction.
Docker Desktop is widely used by developers and organizations for container management, making this vulnerability particularly concerning in shared or multi-tenant environments. An attacker who successfully exploits the flaw could gain the same privileges as the target user, potentially leading to data theft, installation of malware, or further lateral movement within a network.
The uncontrolled search path element vulnerability means that Docker Desktop executes a program from an unsecured location, allowing an attacker to place a malicious plugin in a directory that the application searches before the intended secure location. This type of flaw is common in software that dynamically loads libraries or plugins without verifying the integrity of the search path.
Docker has not disclosed whether the vulnerability has been exploited in the wild, but given the public disclosure and the availability of technical details, users are strongly advised to apply the update as soon as possible. The fix is included in the latest version of Docker Desktop, and administrators should prioritize patching on systems where multiple users have access.
This disclosure follows a broader trend of privilege escalation vulnerabilities in developer tools and container platforms. As Docker Desktop is a critical component in many CI/CD pipelines and development environments, even local flaws can have significant security implications. The coordinated disclosure process between ZDI and Docker highlights the importance of responsible vulnerability reporting and timely patching.
Users can check their Docker Desktop version and apply the update through the official Docker Desktop release notes. The GitHub advisory provides additional technical details for security teams and system administrators who need to assess their exposure and implement mitigations.