Docker Desktop Vulnerability Allows Local Privilege Escalation to Denial-of-Service
A vulnerability in Docker Desktop's grpcfuse kernel module allows low-privileged attackers within a container to crash the host system.
Zero Day Initiative (ZDI) has disclosed a denial-of-service (DoS) vulnerability, tracked as CVE-2026-8936, affecting Docker Desktop. The flaw resides within the grpcfuse kernel module, a component responsible for bridging gRPC communication with the underlying file system for containerized applications.
Exploitation of this vulnerability requires an attacker to first gain the ability to execute low-privileged code within a container on the target system. Once inside a container, the attacker can leverage the flaw to trigger an uncontrolled recursion within the grpcfuse kernel module. This uncontrolled recursion ultimately leads to a system crash, resulting in a denial-of-service condition on the host machine.
The vulnerability was assigned a CVSS score of 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H), indicating a moderate severity. The 'Attack Vector: Local' and 'Privileges Required: Low' ratings highlight that an attacker needs initial access to a container, but not elevated privileges on the host itself. The 'Scope: Changed' suggests that the vulnerability can impact components beyond the initial attack surface, and the 'Impact: High' for Availability confirms the potential for system disruption.
This specific issue stems from a lack of proper validation of user-supplied data within the grpcfuse kernel module. When the module processes malformed or unexpected input, it enters a recursive loop that it cannot break out of, consuming system resources until the kernel panics or the system becomes unresponsive.
Docker has addressed this vulnerability by releasing version 4.76.0 of Docker Desktop. Users are strongly advised to update to this latest version to mitigate the risk of exploitation. The release notes for version 4.76.0 confirm the fix for this specific issue, although details on the exact patch implementation are not publicly disclosed.
The vulnerability was reported to the vendor on April 30, 2026, and ZDI coordinated the public release of the advisory on June 3, 2026. The disclosure timeline indicates a standard responsible disclosure process, allowing Docker sufficient time to develop and release a patch before public awareness.
This finding was credited to Nitesh Surana of TrendAI Research, highlighting the ongoing contributions of security researchers in identifying and reporting vulnerabilities in widely used software like Docker Desktop. Such vulnerabilities underscore the importance of maintaining secure container environments and promptly applying security updates.