CVE-2026-8936: Unbounded recursion in grpcfuse kernel module allows container to crash Docker Desktop VM
Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event. This issue has been fixed in Docker Desktop 4.76.0.
Metrics
- CVSS v4.0
- 8.2
- Severity
- HIGH
- Fixed in
- 4.76.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability caused by unbounded recursion in the grpcfuse kernel module included in Docker Desktop. It is reachable locally by a process running inside a container, requires only a low-privilege account, and does not need any network access or victim interaction. Successful exploitation crashes the Docker Desktop VM, taking down all running containers on the host. A patched-image rebuild at Docker Desktop 4.76.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-8936 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle or depend on Docker Desktop components.
AvailableHarborGuard scores this CVE at CVSS 8.2 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine urgency and route findings to the appropriate team inbox inside each customer organization.
AvailableA patched-image rebuild targeting Docker Desktop 4.76.0 is available on HarborGuard for any environment running an affected version (4.33.0 through 4.75.x). For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerability.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative or root-level credentials to initiate the exploit.
- Victim interactionNot required
No user interaction is needed; the attacker can trigger the crash entirely through their own process actions inside a container.
- Attack complexityDetail
The exploit is reliable and condition-free; creating deeply nested directories on a bind-mounted host folder consistently triggers the dentry invalidation path that causes the recursion.
Blast Radius
- Crashes the Docker Desktop VM, immediately terminating all containers running on that host.
- Causes unrecoverable loss of any in-memory or in-flight work across every container on the affected VM.
- Disrupts any CI/CD pipeline or local development workflow dependent on the Docker Desktop instance until the VM is manually restarted.
- No confidentiality or data-integrity impact; the attacker cannot read or modify files through this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-8936 is active the moment the CVE is published, with image matching running across all registered registries and pipelines. For environments running Docker Desktop 4.33.0 through 4.75.x, a rebuild against the fixed 4.76.0 base is available. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Customers who manage remediation manually can use HarborGuard findings to prioritize the upgrade to 4.76.0 and, in the interim, reduce exposure by restricting container workloads from mounting host directories via network policy or Docker daemon configuration where operationally feasible.
Fix available
- Docker / Docker Desktop< 4.76.0 (from 4.33.0)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/R:U