The vulnerability arises because the vllm-metal inference backend in Docker Model Runner on macOS sets trust_remote_code=True unconditionally when loading model tokenizers. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files embedded in any model pulled from an OCI registry. Since this code runs without sandboxing, it enables arbitrary code execution on the Docker host with the Docker Desktop user's privileges. Exploitation can be triggered by any container on the Docker network via the model-runner.docker.internal API by pulling a malicious model and requesting inference. The CVSS 4.0 base score is 8.8, reflecting high impact and exploitability with low attack complexity but requiring privileges and partial user interaction.

Successful exploitation results in arbitrary code execution on the Docker host as the Docker Desktop user, potentially allowing an attacker to execute malicious commands or compromise the host system. The vulnerability affects Docker Desktop on macOS version 4.62.0. It can be triggered remotely by any container on the Docker network, increasing the attack surface within Docker environments. No known exploits in the wild have been reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the model-runner.docker.internal API and limit untrusted containers from interacting with Docker Desktop services. Avoid pulling models from untrusted OCI registries. Monitor vendor channels for updates and apply patches promptly once available.