CVE-2026-8936: Docker Desktop VM Panic Triggered via grpcfuse Recursion

On June 3, 2026, the Zero Day Initiative published advisory ZDI-26-327, detailing a vulnerability in the Docker Desktop grpcfuse kernel module, tracked as CVE-2026-8936. A low-privileged container triggers a VM panic and subsequent denial-of-service through uncontrolled recursion. This condition is activated by creating deeply nested directories on a bind-mounted host folder and triggering a dentry invalidation event. Docker addressed the issue in Docker Desktop 4.76.0.

The Mechanism: How a Container Crashes the VM

The grpcfuse module implements a userspace filesystem to facilitate file sharing between the host and containers in Docker Desktop. According to advisory ZDI-26-327, "the specific flaw exists within the grpcfuse kernel module. The issue results from the lack of proper validation of user-supplied data, which can result in unbounded recursion."

The CVE Record provides operational details on the trigger: uncontrolled recursion occurs when a container creates "deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event." The lack of data validation within the kernel module allows the call stack to grow indefinitely, causing the VM to panic.

This is not a traditional container escape; the attacker does not achieve code execution outside the container or escalate privileges on the host system. The impact is strictly limited to availability: the Docker virtual machine crashes, terminating all running containers and requiring a full restart.

Attack Conditions and Exposure

The ZDI advisory explicitly defines the prerequisites: "an attacker must first obtain the ability to execute low-privileged code within a container on the target system in order to exploit this vulnerability." Root access within the container is not required, nor is a prior compromise of the host.

Exploitation requires a specific configuration: a bind mount to a host folder containing deeply nested directories, followed by a dentry invalidation event. The documentation does not specify the exact depth of nesting required to trigger the panic.

It remains unclear if other components or earlier versions of Docker Desktop are affected. Furthermore, it is not verified whether the grpcfuse module is utilized in standalone Docker Engine configurations outside of the Docker Desktop environment.

CVSS: One Vulnerability, Two Standards

The flaw is classified as 6.5 (Medium) under CVSS v3.1 and 8.2 (High) under CVSS v4.0, reflecting the evolving methodology of the scoring standards. According to ZDI-26-327, the CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, which the NVD calculator confirms at 6.5. The CVE Record lists the CVSS v4.0 vector as CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/R:U with a score of 8.2.

Both scores are valid within their respective frameworks and do not represent a conflict. The available data does not indicate which standard Docker or specific vulnerability management tools prioritize for internal classification.

Key Metric

CVSS v3.1: 6.5 (Medium) — CVSS v4.0: 8.2 (High). The same vulnerability, viewed through two different scoring lenses.

Remediation and Mitigation

• Update Docker Desktop to version 4.76.0. According to official release notes, this version "addressed CVE-2026-8936, a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event."
• Audit environments running containers from unverified sources that utilize bind mounts to host directories.
• Verify the installed version of Docker Desktop via the "About" menu or the docker version command and schedule updates during maintenance cycles.
• Evaluate the removal of unnecessary bind mounts to host filesystems in multi-tenant environments or when handling external containers.

The technical brief documents no further operational actions. No temporary mitigations are known beyond the software update.

Context and Known Limitations

The vulnerability was discovered by Nitesh Surana of TrendAI Research, who reported the flaw to the vendor on April 30, 2026. Coordinated disclosure followed on June 3, 2026.

Significant limitations remain in the current reporting: there is no confirmation of in-the-wild exploitation; it is unclear if other components are affected; and no temporary workarounds have been documented. It is also unverified if the grpcfuse module is present in standalone Docker Engine installs.

These factors should be considered during risk assessment. The vulnerability is a specific issue with precise trigger conditions and an available fix, rather than a generalized systemic threat.

Editorial Perspective

CVE-2026-8936 reinforces a recurring pattern in container security: shared filesystems between host and guest remain a sensitive attack surface even when isolation appears robust. The grpcfuse module, designed for development convenience, failed due to insufficient validation of user-controllable input.

The discrepancy between CVSS v3.1 and v4.0 scores—6.5 versus 8.2—is not an error but a signal. Newer metrics place greater emphasis on system availability impacts and the relative ease of the attack. For security teams, this means patching priority may shift significantly depending on which evaluation tool is used.

Updating to Docker Desktop 4.76.0 is the only documented countermeasure. In the absence of alternative mitigations, the speed of patch deployment is the primary factor in risk reduction.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• http://www.zerodayinitiative.com/advisories/ZDI-26-327/
• https://www.cve.org/CVERecord?id=CVE-2026-8936
• https://docs.docker.com/desktop/release-notes/#4760
• http://nvd.nist.gov/cvss.cfm?calculator&version=3.0&vector=AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
• https://www.zerodayinitiative.com/advisories/
• https://www.docker.com/