| CVE ID | CVE-2026-35712 |
| Affected software | Docker 26.0.0 through 26.1.2 |
| Severity | CVSS 8.6 (High) — Privilege Escalation, Complete System Access |
| Fixed in | Docker 26.1.3 |
| Disclosed | July 6, 2026 |
| Active exploitation | No known public exploits yet, but threat is imminent |
What Happened
Docker uses Linux cgroups (control groups) to isolate container resources and prevent containers from affecting the host system or other containers. This vulnerability exists in how Docker manages cgroup namespace transitions when a privileged process inside a container tries to manipulate system resources. A flaw in the namespace isolation mechanism allows an attacker to bypass these restrictions and execute arbitrary commands on the host with the Docker daemon's privileges.
The attack requires a malicious application running inside a container, but does not require special Docker flags like --privileged — it works against standard containerized applications.
What This Means
This is a privilege escalation vulnerability, not a remote code execution. It means if you're running untrusted code inside Docker containers, that code can compromise your entire host system. For anyone running user-submitted containers, third-party container images from untrusted registries, or cloud platforms allowing customer containers, this represents an immediate security crisis.
Why You Should Care
Container escape vulnerabilities are extremely serious because they undermine the entire purpose of containerization — isolation. Organizations rely on Docker to safely run untrusted code without it threatening the host. This vulnerability breaks that guarantee. Given Docker's ubiquity across cloud platforms, CI/CD systems, and development environments, this affects millions of deployments.
What You Can Do Right Now
- Update Docker immediately to version 26.1.3 or later — this is not optional.
- Audit running containers for suspicious process creation or system calls using
docker logsand container monitoring tools. - Review container sources — ensure you only run images from official registries or trusted sources you control.
- Enable Docker security scanning in your CI/CD pipeline to detect known vulnerable base images.
- Implement image signing verification to prevent tampering with container images.
- Use image pull rate limiting to reduce the attack surface of third-party registries.
This is the third critical container escape vulnerability discovered in Docker within 18 months. It highlights an ongoing trend: container runtimes are complex, and subtle flaws in namespace isolation can have catastrophic consequences. Any organization running untrusted containers is at immediate risk.
A flaw in Docker's cgroup management allows unprivileged applications inside containers to escape isolation and compromise the host system with daemon-level privileges.
Explore More CVEsBrowse more articles and resources in this category