Multiple Permission Assignment Vulnerabilities in Docker Desktop for Windows
CVE-2025-14740

6.7MEDIUM

Key Information:

Vendor

Docker Inc.

Status
Docker Desktop
Vendor
CVE Published:
4 February 2026

What is CVE-2025-14740?

Docker Desktop for Windows contains multiple vulnerabilities related to incorrect permission assignments in the management of the C:\ProgramData\DockerDesktop directory. These vulnerabilities create opportunities for attackers to execute arbitrary code. The first scenario allows a low-privileged user to pre-create the directory before the installation, maintaining ownership despite the installation process applying restrictive access controls. This ownership enables the attacker to alter critical configuration files post-installation. The second scenario is a time-of-check-to-time-of-use (TOCTOU) race condition, where a low-privileged attacker can inject malicious files into the directory during a brief window while secure permissions are being established. Both scenarios ultimately allow attackers to execute arbitrary code, posing significant security risks to users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Docker Desktop Windows 0 <= 4.56.0

References

https://docs.docker.com/security/
vendor-advisory
https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/
third-party-advisory
https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/
third-party-advisory

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nitesh Surana (niteshsurana.com) - Trend Micro Zero Day Initiative
Amol Dosanjh - Trend Micro Research
JSON
.