Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-2664

CVE-2026-2664: Docker Desktop Privilege Escalation Flaw

CVE-2026-2664 is a privilege escalation vulnerability in Docker Desktop's grpcfuse kernel module affecting versions up to 4.61.0. Attackers can exploit it via /proc/docker entries. Learn about affected systems and updates.

Published:

CVE-2026-2664 Overview

An out-of-bounds read vulnerability (CWE-125) has been identified in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux, and macOS. This vulnerability affects Docker Desktop versions up to and including 4.61.0 and could allow a local attacker to cause unspecified impact by writing to /proc/docker entries.

Critical Impact

Local attackers with low privileges can exploit this out-of-bounds read vulnerability to potentially read sensitive memory contents from the grpcfuse kernel module, which could lead to information disclosure within containerized environments.

Affected Products

  • Docker Desktop for Windows (up to version 4.61.0)
  • Docker Desktop for Linux (up to version 4.61.0)
  • Docker Desktop for macOS (up to version 4.61.0)

Discovery Timeline

  • 2026-02-24 - CVE CVE-2026-2664 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2026-2664

Vulnerability Analysis

This vulnerability is classified as an out-of-bounds read (CWE-125), a memory corruption issue that occurs when the software reads data past the end or before the beginning of the intended buffer. In the context of the grpcfuse kernel module within Docker Desktop's Linux VM, this flaw can be triggered through specially crafted writes to /proc/docker entries.

The grpcfuse module serves as a critical component for file system operations between the host and Docker's Linux VM, enabling FUSE (Filesystem in Userspace) functionality over gRPC. When this module improperly validates boundaries during memory read operations, it creates an exploitable condition.

The local attack vector requires an attacker to have low-level privileges on the system to interact with the /proc/docker entries. While the immediate impact is categorized as causing high confidentiality impact with no integrity or availability impact, the potential for information disclosure from kernel memory regions makes this a significant security concern for Docker Desktop users.

Root Cause

The root cause of this vulnerability lies in insufficient boundary checking within the grpcfuse kernel module when processing input written to /proc/docker entries. The module fails to properly validate the size and bounds of read operations, allowing memory access beyond allocated buffer boundaries. This type of vulnerability typically stems from missing or inadequate input validation and bounds checking in kernel-level code paths.

Attack Vector

The attack requires local access to a system running a vulnerable version of Docker Desktop. An attacker with low-level user privileges can craft malicious input to be written to /proc/docker entries, triggering the out-of-bounds read condition in the grpcfuse kernel module. The attack does not require user interaction and has low complexity, making exploitation straightforward for attackers with local system access.

The exploitation mechanism involves manipulating proc filesystem entries to trigger memory read operations that exceed intended buffer boundaries within the kernel module, potentially exposing sensitive kernel memory contents.

Detection Methods for CVE-2026-2664

Indicators of Compromise

  • Unusual access patterns to /proc/docker entries from unexpected processes or users
  • Abnormal memory read operations or kernel warnings associated with the grpcfuse module
  • Unexpected processes attempting to interact with Docker's proc filesystem entries

Detection Strategies

  • Monitor system calls and file operations targeting /proc/docker entries for anomalous behavior
  • Implement kernel-level auditing to track interactions with the grpcfuse module
  • Deploy endpoint detection solutions capable of monitoring for out-of-bounds memory access patterns

Monitoring Recommendations

  • Enable comprehensive logging for Docker Desktop and related kernel module activities
  • Configure alerts for unauthorized or unexpected access to proc filesystem entries related to Docker
  • Implement file integrity monitoring on Docker Desktop installation directories

How to Mitigate CVE-2026-2664

Immediate Actions Required

  • Upgrade Docker Desktop to version 4.62.0 or later immediately
  • Restrict local user access to systems running vulnerable Docker Desktop versions
  • Review system access logs for any suspicious activity targeting /proc/docker entries

Patch Information

Docker has addressed this vulnerability in Docker Desktop version 4.62.0. Users should update their Docker Desktop installation to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the Docker Desktop Release Notes for version 4.62.0.

Workarounds

  • Limit local user access to systems running Docker Desktop until the patch can be applied
  • Implement additional access controls on /proc/docker entries where feasible
  • Consider temporary isolation of Docker Desktop workloads on systems that cannot be immediately updated
bash
# Update Docker Desktop via command line (example for Linux)
# Download and install Docker Desktop 4.62.0 or later from official Docker website
# Verify installed version after update
docker --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne