Docker Desktop Zero-Day LPE Flaw Disclosed After Vendor Rejects Fix
Zero Day Initiative discloses a privilege escalation zero-day in Docker Desktop for Windows that lets attackers escape a container and execute arbitrary code on the host.
A critical zero-day vulnerability in Docker Desktop for Windows has been publicly disclosed as a 0-day advisory by Trend Micro’s Zero Day Initiative (ZDI) after Docker Inc. rejected the report. The flaw, tracked as ZDI-26-259, enables an attacker who has already escaped a container and gained low-privileged code execution within the Docker Hyper-V VM to escalate privileges and run arbitrary code on the host system in the context of the current user.
The vulnerability resides in the Docker cli-plugins feature, specifically involving incorrect permission assignments on folders used by that functionality. According to the advisory, the issue allows a local attacker to leverage the misconfigured permissions to gain higher access. The CVSS score is 7.8 (High), with the vector indicating a local attack that requires high complexity and prior low-privileged access.
The disclosure timeline shows a protracted engagement between ZDI and Docker. ZDI submitted the report on July 11, 2025, followed by multiple requests for updates. In September 2025, Docker requested technical clarification, which ZDI provided. However, on November 11, 2025, Docker rejected the report, arguing that exploitation required prior privileged access. ZDI then notified Docker of its intent to publish as a 0-day advisory on April 8, 2026, and released the advisory on April 15, 2026.
The vulnerability was discovered and reported by Nitesh Surana (niteshsurana.com) and Nelson William Gamazo Sanchez of Trend Research. As a 0-day, no official patch is available. ZDI’s mitigation advice is to restrict interaction with Docker Desktop, especially in multi-tenant or shared-environment contexts where container escape and low-privileged execution in the Hyper-V VM are possible.
The impact is significant for organizations using Docker Desktop on Windows, particularly in development environments and CI/CD pipelines where containers run with elevated interaction with the host. While the exploit chain requires multiple steps (container escape, then LPE), the disclosure highlights the challenge of securing containerization platforms against privilege escalation within the host-VM boundary. Without a vendor patch, users must rely on isolation and strict access controls.
This disclosure raises concerns about Docker’s security response process, as the vendor declined to address the issue based on exploitation difficulty. The release of technical details may lead to proof-of-concept exploits, increasing risk for unpatched systems. Security teams should monitor for additional advisories and consider temporary workarounds.