Description
Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event. This issue has been fixed in Docker Desktop 4.76.0.
Published: 2026-06-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbounded recursion in the grpcfuse kernel module causes a kernel panic that crashes the Docker Desktop virtual machine. The flaw is an example of uncontrolled recursion (CWE-674) and results in loss of service availability. No direct remote code execution or data exfiltration is possible; the primary harm is a crash of the host VM, potentially impacting all containers running in Docker Desktop.

Affected Systems

Docker Desktop installations of Docker on any platform earlier than version 4.76.0 are vulnerable. The issue was fixed in Docker Desktop 4.76.0, so updates to that release or later remove the risk.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, and the EPSS score is unavailable, while the vulnerability is not listed in the CISA KEV catalog. The least‑privileged attacker would need to run a container that creates deeply nested directories on a bind‐mounted host folder to trigger the recursion and cause a VM panic. If an attacker can orchestrate such a container, the local VM will crash, denying service to all running containers.

Generated by OpenCVE AI on June 3, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docker Desktop to version 4.76.0 or later
  • Configure containers to avoid creating extremely deep directory trees on bind‑mounted mounts
  • If an upgrade is temporarily infeasible, restrict or remove the offending bind mounts from container configurations

Generated by OpenCVE AI on June 3, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Docker
Docker docker Desktop
Vendors & Products Docker
Docker docker Desktop

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event. This issue has been fixed in Docker Desktop 4.76.0.
Title Unbounded recursion in grpcfuse kernel module allows container to crash Docker Desktop VM
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/R:U'}

Subscriptions

Docker Docker Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: Docker

Published:

Updated: 2026-06-03T14:08:05.541Z

Reserved: 2026-05-19T11:32:59.932Z

Link: CVE-2026-8936

cve-icon Vulnrichment

Updated: 2026-06-03T13:53:19.737Z

cve-icon NVD

Status : Received

Published: 2026-06-02T22:16:17.120

Modified: 2026-06-02T22:16:17.120

Link: CVE-2026-8936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses