Docker Desktop for Windows 0-Days Enable Host Privilege Escalation From Containers
Zero Day Initiative disclosed two Docker Desktop for Windows privilege-escalation flaws after Docker rejected the reports as outside its threat model. The first issue, tracked as ZDI-26-258 / ZDI-CAN-27229, affects the extension-manager component and is caused by an exposed dangerous function in Docker Extensions. ZDI said an attacker who can already execute high-privileged code inside a container could exploit the flaw to run arbitrary code on the Windows host as SYSTEM. The advisory lists no assigned CVE and a CVSS 8.2 score, and credits Nitesh Surana of TrendAI Research with the discovery.
A second advisory, ZDI-26-260 / ZDI-CAN-27571, describes an uncontrolled search path issue in the Docker Desktop system/editor endpoint caused by execution of a program from an unsecured location. ZDI said exploitation requires an attacker to first escape the container and execute high-privileged code inside the Docker Hyper-V VM, after which arbitrary code can be run on the host in the context of the current user; the flaw carries a CVSS 7.5 score. The issue was reported to Docker in July 2025 by Nitesh Surana and Nelson William Gamazo Sanchez of TrendAI Research, but was later published as a 0-day after the vendor declined to address it because it depended on prior privileged access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses Docker Desktop 0-day vulnerabilities
On April 15, 2026, ZDI published advisories for Docker Desktop local privilege escalation flaws including ZDI-26-258 / ZDI-CAN-27229 and ZDI-26-260 / ZDI-CAN-27571. The advisories said the bugs could allow arbitrary code execution on the Windows host after an attacker already had high-privileged code execution in a container or Docker Hyper-V VM.
TrendAI Research reports Docker Desktop privilege escalation flaw to Docker
Researchers Nitesh Surana and Nelson William Gamazo Sanchez of TrendAI Research reported a Docker Desktop privilege escalation vulnerability, tracked by ZDI as ZDI-CAN-27571, to Docker. ZDI states the report was submitted in July 2025.
Docker rejects reported Docker Desktop issues as outside its threat model
Docker later rejected the reported vulnerabilities because exploitation required prior privileged access, which it considered outside its threat model. This rejection led ZDI to treat the issues as 0-day disclosures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ZDI-26-258 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-260 | Zero Day Initiative
zerodayinitiative.com
Open sourceBreaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 2
cyberark.com
Open sourceBreaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 1
cyberark.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Docker and Docker Desktop Flaws Expose Systems to Security Bypass Risks
German authorities issued advisories for **multiple vulnerabilities in Docker** and a separate **Docker Desktop flaw that allows security measures to be bypassed**, highlighting security risks across both the container engine ecosystem and the desktop management platform. The notices identify Docker broadly as affected in one case, while the other specifically warns that Docker Desktop contains a vulnerability that could let attackers circumvent intended protections. The paired advisories indicate that organizations using Docker in development or production environments may face exposure from both general software weaknesses and a more targeted bypass issue in Docker Desktop. Security teams should review affected versions, assess where Docker and Docker Desktop are deployed, and prioritize vendor guidance and patching to reduce the risk of unauthorized access or weakened container security controls.
Apr 24, 2026
Multiple Docker and Docker Desktop Model Runner Flaws Enable Code Execution
dCERT published advisory `2026-1556` warning of multiple vulnerabilities in **Docker**, followed by advisory `2026-1631` covering **Docker Desktop Model Runner** flaws that can allow **code execution**. The notices indicate that security issues affect both the core container ecosystem and a Docker Desktop component used for model execution, expanding the potential attack surface across developer and workstation environments. The paired advisories highlight a broader risk to organizations relying on Docker tooling: attackers may be able to exploit multiple weaknesses to run unauthorized code on affected systems. Security teams using Docker or Docker Desktop should review the impacted products and versions referenced in the dCERT advisories, prioritize patching, and assess whether developer endpoints or container-management workflows are exposed to these vulnerabilities.
May 26, 2026
Docker Engine AuthZ Bypass Flaw Enables Host Access via Oversized API Requests
Docker disclosed a high-severity Docker Engine vulnerability, **CVE-2026-34040** (`CVSS 8.8`), that allows attackers to bypass authorization plugins and perform actions that should be blocked. The flaw stems from an incomplete fix for **CVE-2024-41110** and is triggered when a specially crafted oversized Docker API request causes the request body to be dropped before inspection by an AuthZ plugin. In affected environments, the plugin may approve container operations it would otherwise deny, opening a path to unauthorized privileged actions and potential host compromise. Researchers said an attacker with Docker API access could exploit the bug by padding a container-creation request beyond **1 MB** to launch a privileged container with access to the host filesystem, exposing sensitive assets such as **AWS credentials**, **SSH keys**, and **Kubernetes configurations**. The issue affects deployments that rely on authorization plugins inspecting request bodies, while environments not using those plugins are not impacted. Docker patched the vulnerability in **Docker Engine 29.3.1** and urged defenders to upgrade, restrict Docker API access, avoid AuthZ plugins that depend on request-body inspection, and use controls such as rootless mode, user namespace remapping, and least-privilege access to reduce risk.
Apr 8, 2026