Impact
Docker Sandboxes blocks ICMP egress with an authorizer applied only at network creation; the authorizer is not reapplied to networks rebuilt after the Docker daemon restarts. A workload inside a sandbox, treated as untrusted, can send ICMP packets to arbitrary hosts, performing network reconnaissance and transmitting data covertly over ICMP. This bypass of the documented egress block enables an attacker to gather information and exfiltrate data from the host system using standard ICMP protocols.
Affected Systems
Docker Sandboxes, any version that does not include the fix for the authorizer reapplication bug (prior to the release that addressed this vulnerability).
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. EPSS is less than 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a Docker daemon restart that rebuilds existing sandbox networks from disk, allowing outbound ICMP traffic to any external host. Although not immediately exploitable without a restart, the limitation can be leveraged by a persistent attacker who can schedule or trigger a restart, making the vulnerability moderate but still concerning for environments that rely on strict ICMP block enforcement.
OpenCVE Enrichment