CVE-2026-8936 Overview
CVE-2026-8936 is a denial-of-service vulnerability in Docker Desktop caused by unbounded recursion [CWE-674] in the grpcfuse kernel module. A container can trigger a virtual machine (VM) panic by creating deeply nested directories on a bind-mounted host folder and then causing a dentry invalidation event. The recursive code path in grpcfuse consumes the kernel stack until the VM panics. Docker has fixed the issue in Docker Desktop 4.76.0.
Critical Impact
A local container workload can crash the Docker Desktop VM, terminating all running containers and disrupting developer or CI workflows on the host.
Affected Products
- Docker Desktop versions prior to 4.76.0
- Deployments using grpcfuse for host bind mounts
- Workflows that mount host folders into containers with write access
Discovery Timeline
- 2026-06-02 - CVE-2026-8936 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-8936
Vulnerability Analysis
The flaw resides in grpcfuse, the Filesystem in Userspace (FUSE) bridge Docker Desktop uses to expose host directories to Linux containers running inside its VM. When the kernel receives a dentry invalidation event for a bind-mounted path, grpcfuse walks the directory entry tree using recursion rather than an iterative algorithm. A container that has write access to a bind-mounted host folder can create directories nested to an arbitrary depth. The subsequent invalidation walks each level recursively, exhausting the kernel stack and panicking the VM.
The weakness is classified as uncontrolled recursion [CWE-674]. Attackers do not gain code execution, escape the container, or read host data. Impact is limited to availability of the Docker Desktop VM and the workloads it hosts.
Root Cause
The grpcfuse invalidation handler lacks a depth limit or iterative traversal. Each nested dentry adds a frame to the kernel stack until the stack guard page is hit, triggering a kernel panic inside the LinuxKit VM that backs Docker Desktop.
Attack Vector
Exploitation is local. A user with permission to run containers and configure a bind mount onto a writable host folder can trigger the panic. From inside the container, the actor creates a directory chain such as a/a/a/... thousands of levels deep, then renames or removes a parent to force the kernel to issue dentry invalidations. The recursive walk traverses every level and panics the VM. No authentication beyond local container execution is required, and no user interaction is needed.
Technical details are documented in the Docker Desktop 4.76.0 release notes.
Detection Methods for CVE-2026-8936
Indicators of Compromise
- Unexpected Docker Desktop VM panics or restarts on developer workstations and build agents
- Container processes that recursively create directories with single-character names under bind-mounted paths
- LinuxKit kernel logs showing stack overflow or panic traces referencing grpcfuse invalidation handlers
Detection Strategies
- Audit Docker Desktop versions across managed endpoints and flag any host running a release earlier than 4.76.0
- Monitor for repeated Docker Desktop service restarts or com.docker.backend crash events in host telemetry
- Inspect container filesystem activity for abnormal mkdir depth on paths corresponding to bind mounts
Monitoring Recommendations
- Forward Docker Desktop diagnostic logs and host event logs to a centralized logging system for correlation
- Alert on kernel panic strings emitted by the Docker Desktop VM, including stack traces involving FUSE invalidation
- Track container runtime metrics for sudden termination of all containers on a host, which indicates a VM panic
How to Mitigate CVE-2026-8936
Immediate Actions Required
- Upgrade Docker Desktop to version 4.76.0 or later on every affected workstation and build host
- Restrict who can run containers with bind mounts on shared or multi-tenant developer hosts
- Review existing container images and CI jobs for processes that perform deep recursive directory creation on bind-mounted paths
Patch Information
Docker has released the fix in Docker Desktop 4.76.0. Details are available in the Docker Desktop release notes. Apply the update through the Docker Desktop auto-updater or by deploying the installer through an endpoint management tool.
Workarounds
- Avoid bind-mounting host directories that untrusted containers can write to until the patch is applied
- Prefer named Docker volumes over host bind mounts for container storage where feasible
- Limit container privileges and filesystem capabilities through --read-only mounts or restrictive securityContext settings
# Verify the installed Docker Desktop version meets or exceeds the fixed release
docker version --format '{{.Server.Platform.Name}}'
docker desktop version
# Expected: Docker Desktop 4.76.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
