CVE-2026-2664
Published: 24 February 2026
Summary
CVE-2026-2664 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Docker Desktop. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2664 is an out-of-bounds read vulnerability (CWE-125) in the grpcfuse kernel module within the Linux VM of Docker Desktop for Windows, Linux, and macOS up to version 4.61.0. The flaw is triggered by writing to /proc/docker entries, potentially leading to unspecified impacts.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.8). Successful exploitation could result in high impacts to confidentiality, integrity, and availability on the affected system.
Docker has fixed the issue in Docker Desktop 4.62.0. Additional mitigation details are available in the release notes at https://docs.docker.com/desktop/release-notes/#4620.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7385
Vulnerability details
An out of bounds read vulnerability in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux and macOS up to version 4.61.0 could allow a local attacker to cause an unspecified impact by writing…
more
to /proc/docker entries. The issue has been fixed in Docker Desktop 4.62.0 .
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB read in Docker Desktop's Linux VM (triggered via /proc) directly enables privilege escalation from low-priv context and facilitates container/VM escape to the host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the out-of-bounds read vulnerability in the grpcfuse kernel module, as fixed in Docker Desktop 4.62.0, to prevent local exploitation via /proc/docker writes.
Vulnerability scanning identifies CVE-2026-2664 in Docker Desktop's Linux VM kernel module, triggering remediation to prevent low-privilege local attacks.
Memory protections such as ASLR and data execution prevention limit the exploitability and impact of the out-of-bounds read in the grpcfuse kernel module.