CVE-2025-10657
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-26

Last updated on: 2025-09-29

Assigner: Docker Inc.

Description
In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions Β to restrict commands that a container with a Docker socket mount may issue on that socket. Due to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands. The vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-26
Last Modified
2025-09-29
Generated
2026-05-07
AI Q&A
2025-09-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10657
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
docker docker_desktop 4.46.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Docker Desktop 4.46.0 when Enhanced Container Isolation (ECI) is enabled along with the Docker socket command restrictions feature. Due to a software bug, the command restrictions intended to limit what commands a container with a Docker socket mount can execute are ignored. This allows any command to be executed on the Docker socket, granting excessive privileges and unrestricted access to powerful Docker commands.


How can this vulnerability impact me? :

If you are using Docker Desktop 4.46.0 with ECI enabled and have containers explicitly allowed to mount the Docker socket, this vulnerability can allow those containers to execute any Docker command without restriction. This could lead to privilege escalation, unauthorized control over Docker operations, and potentially compromise the host system or other containers.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that you are not using Docker Desktop version 4.46.0 with Enhanced Container Isolation (ECI) enabled and the Docker socket command restrictions feature active. Since the vulnerability only affects containers explicitly allowed to mount the Docker socket, review and restrict any containers that have the Docker socket mounted. Consider disabling the command restrictions feature until a patch is available or upgrading Docker Desktop to a version where this bug is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart