Critical
CVE-2026-35712

Docker Container Escape: Privilege Escalation Through Cgroup Management

In July 2026, security researchers discovered a critical vulnerability in Docker's runtime that allows a malicious application running inside a container to break out and execute code on the host system. Here's what went wrong, why it's dangerous, and how to protect yourself.

Quick facts
CVE IDCVE-2026-35712
Affected softwareDocker 26.0.0 through 26.1.2
SeverityCVSS 8.6 (High) — Privilege Escalation, Complete System Access
Fixed inDocker 26.1.3
DisclosedJuly 6, 2026
Active exploitationNo known public exploits yet, but threat is imminent

What Happened

Docker uses Linux cgroups (control groups) to isolate container resources and prevent containers from affecting the host system or other containers. This vulnerability exists in how Docker manages cgroup namespace transitions when a privileged process inside a container tries to manipulate system resources. A flaw in the namespace isolation mechanism allows an attacker to bypass these restrictions and execute arbitrary commands on the host with the Docker daemon's privileges.

The attack requires a malicious application running inside a container, but does not require special Docker flags like --privileged — it works against standard containerized applications.

What This Means

This is a privilege escalation vulnerability, not a remote code execution. It means if you're running untrusted code inside Docker containers, that code can compromise your entire host system. For anyone running user-submitted containers, third-party container images from untrusted registries, or cloud platforms allowing customer containers, this represents an immediate security crisis.

Why You Should Care

Container escape vulnerabilities are extremely serious because they undermine the entire purpose of containerization — isolation. Organizations rely on Docker to safely run untrusted code without it threatening the host. This vulnerability breaks that guarantee. Given Docker's ubiquity across cloud platforms, CI/CD systems, and development environments, this affects millions of deployments.

What You Can Do Right Now

Real-world impact

This is the third critical container escape vulnerability discovered in Docker within 18 months. It highlights an ongoing trend: container runtimes are complex, and subtle flaws in namespace isolation can have catastrophic consequences. Any organization running untrusted containers is at immediate risk.

CVE-2026-35712 in one sentence

A flaw in Docker's cgroup management allows unprivileged applications inside containers to escape isolation and compromise the host system with daemon-level privileges.

Explore More CVEs
Category: Cve
Browse more articles and resources in this category