CVE-2026-12539: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints in Docker Docker Sandboxes
Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.
AI Analysis
Technical Summary
Docker Sandboxes (version 0.14.0) implement an ICMP egress block via an authorizer applied at network creation time. However, when the Docker daemon restarts, networks rebuilt from disk do not have this authorizer reapplied. As a result, a sandbox that survives a restart can forward ICMP packets to arbitrary hosts, circumventing the intended ICMP egress restrictions. This flaw allows an untrusted workload inside the sandbox to bypass the documented ICMP block, enabling network reconnaissance and data exfiltration over ICMP covert channels regardless of the configured allowlist. The vulnerability is tracked as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) and CWE-665 (Improper Initialization).
Potential Impact
An attacker controlling a workload inside a Docker sandbox can bypass ICMP egress restrictions after a Docker daemon restart, enabling network reconnaissance and covert data exfiltration via ICMP packets. This undermines network segmentation and data confidentiality controls that rely on ICMP blocking. The vulnerability has a CVSS 4.0 score of 5.7 (medium severity), indicating a moderate impact with low attack complexity and partial privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a fix is available, users should be aware that ICMP egress blocking may not persist across Docker daemon restarts in version 0.14.0 and consider additional network-level controls or sandbox isolation measures to mitigate risk.
CVE-2026-12539: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints in Docker Docker Sandboxes
Description
Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.
CVSS v4.0
Score 5.7medium
Affected software
pkg:github/docker/sbx-releasesRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Docker Sandboxes (version 0.14.0) implement an ICMP egress block via an authorizer applied at network creation time. However, when the Docker daemon restarts, networks rebuilt from disk do not have this authorizer reapplied. As a result, a sandbox that survives a restart can forward ICMP packets to arbitrary hosts, circumventing the intended ICMP egress restrictions. This flaw allows an untrusted workload inside the sandbox to bypass the documented ICMP block, enabling network reconnaissance and data exfiltration over ICMP covert channels regardless of the configured allowlist. The vulnerability is tracked as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints) and CWE-665 (Improper Initialization).
Potential Impact
An attacker controlling a workload inside a Docker sandbox can bypass ICMP egress restrictions after a Docker daemon restart, enabling network reconnaissance and covert data exfiltration via ICMP packets. This undermines network segmentation and data confidentiality controls that rely on ICMP blocking. The vulnerability has a CVSS 4.0 score of 5.7 (medium severity), indicating a moderate impact with low attack complexity and partial privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a fix is available, users should be aware that ICMP egress blocking may not persist across Docker daemon restarts in version 0.14.0 and consider additional network-level controls or sandbox isolation measures to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Docker
- Date Reserved
- 2026-06-17T15:31:11.749Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33ff00f198dc38c1f0d3d0
Added to database: 6/18/2026, 2:21:52 PM
Last enriched: 6/18/2026, 2:35:23 PM
Last updated: 6/18/2026, 3:23:58 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.