SB2026022424 - Multiple vulnerabilities in Docker Desktop
Published: February 24, 2026 Updated: March 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-2664)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary condition in gRPC-FUSE kernel module. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
2) Command Injection (CVE-ID: CVE-2026-28400)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to insufficient input validation. A remote user can perform runtime flags injection and escalate privileges on the system.
Remediation
Install update from vendor's website.
References
- https://docs.docker.com/security/security-announcements/#docker-desktop-4620-security-update-cve-2026-2664
- https://www.zerodayinitiative.com/advisories/ZDI-26-125/
- https://docs.docker.com/security/security-announcements/#docker-desktop-4620-security-update-cve-2026-28400
- https://www.zerodayinitiative.com/advisories/ZDI-26-150/