Description
Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.
Published: 2026-06-18
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Docker Sandboxes blocks ICMP egress with an authorizer applied only at network creation; the authorizer is not reapplied to networks rebuilt after the Docker daemon restarts. A workload inside a sandbox, treated as untrusted, can send ICMP packets to arbitrary hosts, performing network reconnaissance and transmitting data covertly over ICMP. This bypass of the documented egress block enables an attacker to gather information and exfiltrate data from the host system using standard ICMP protocols.

Affected Systems

Docker Sandboxes, any version that does not include the fix for the authorizer reapplication bug (prior to the release that addressed this vulnerability).

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS is not available, so current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack scenario requires a Docker daemon restart that rebuilds existing sandbox networks from disk; packets to any external host. Although not immediately exploitable without a restart, the limitation can be leveraged by a persistent attacker who can schedule or trigger a restart, making the vulnerability moderate but still concerning for environments that rely on strict ICMP block enforcement.

Generated by OpenCVE AI on June 18, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Docker Sandboxes to the latest version that includes the fix for the ICMP egress authorizer reapplication bug
  • If an update is not possible, configure an additional firewall rule or container network policy to block outbound ICMP traffic from untrusted workloads
  • After a Docker daemon restart, manually enforce ICMP restrictions on rebuilt networks or monitor for unauthorized ICMP traffic to detect potential bypasses

Generated by OpenCVE AI on June 18, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.
Title Docker Sandboxes ICMP egress restriction bypass after daemon restart
Weaknesses CWE-665
CWE-923
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Docker

Published:

Updated: 2026-06-18T14:56:02.329Z

Reserved: 2026-06-17T15:31:11.749Z

Link: CVE-2026-12539

cve-icon Vulnrichment

Updated: 2026-06-18T14:55:59.351Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-665

    Improper Initialization

  • CWE-923

    Improper Restriction of Communication Channel to Intended Endpoints