CVE-2026-12539

Source
https://cve.org/CVERecord?id=CVE-2026-12539
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12539.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12539
Published
2026-06-18T13:51:13.588Z
Modified
2026-07-08T07:23:27.636466728Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Docker Sandboxes ICMP egress restriction bypass after daemon restart
Details

Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12539.json",
    "cna_assigner": "Docker",
    "cwe_ids": [
        "CWE-665",
        "CWE-923"
    ]
}
References

Affected packages

Git / github.com/docker/sbx-releases

Affected ranges

Type
GIT
Repo
https://github.com/docker/sbx-releases
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.14.0"
        },
        {
            "fixed": "0.33.0"
        }
    ]
}

Affected versions

Other
dev-02f174c
dev-1f51dc0
dev-2631810
dev-438ebd7
dev-78ed158
dev-793e764
dev-8fc2763
dev-921c1c7
dev-a5207e0
dev-ad0ca5e
dev-bad9503
dev-c13a59d
dev-c7702ef
dev-dc73246
dev-e54ee33
dev-ebc3fbe
v0.*
v0.16.0
v0.17.0
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.19.0
v0.20.0
v0.21.0
v0.23.0
v0.24.1
v0.24.2
v0.25.0
v0.26.1
v0.27.0
v0.28.0
v0.28.1
v0.28.1-rc2
v0.28.2
v0.28.3
v0.29.0
v0.29.0-rc1
v0.30.0
v0.30.0-rc1
v0.30.0-rc2
v0.31.0-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12539.json"