Denial‑of‑Service in Docker Desktop grpcfuse Kernel Module (CVE‑2026‑8936) Risks Local Container Environments
What It Is – Docker Desktop’s grpcfuse kernel module contains an uncontrolled‑recursion flaw that lets a low‑privileged process inside a container trigger unbounded recursion, crashing the host kernel. The issue is classified as a local denial‑of‑service (DoS) vulnerability.
Exploitability – An attacker must first gain the ability to run code inside a Docker container (e.g., via a vulnerable application or mis‑configuration). No public exploit or worm is known, but a proof‑of‑concept exists. CVSS 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
Affected Products – Docker Desktop ≤ 4.75.0 on Windows and macOS (grpcfuse kernel module).
TPRM Impact –
- Organizations that allow developers to run Docker Desktop on corporate workstations expose the host OS to a DoS that can halt development pipelines and internal tooling.
- A compromised container could be leveraged as a foothold for broader supply‑chain attacks, especially when Docker Desktop is used to build and push images to production registries.
Recommended Actions –
- Patch immediately – Upgrade Docker Desktop to 4.76.0 or later, which disables the vulnerable grpcfuse path.
- Enforce least‑privilege containers – Disallow privileged containers and restrict
--cap-add/--deviceflags. - Monitor container activity – Deploy runtime security agents that alert on abnormal syscalls or kernel module loads.
- Segregate development environments – Use virtual machines or sandboxed workstations for Docker Desktop to limit host impact.