Unbounded Recursion Vulnerability in Docker Desktop Kernel Module
CVE-2026-8936

8.2HIGH

Key Information:

Vendor: Docker
Status: Docker Desktop
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-8936?

A vulnerability in the grpcfuse kernel module of Docker Desktop has been identified, which allows for a VM panic when a container attempts to create deeply nested directories on a bind-mounted host folder. This event triggers an unbounded recursion due to dentry invalidation, leading to potential instability in the system. Docker has addressed this issue in version 4.76.0.

Affected Version(s)

Docker Desktop Windows 4.33.0 < 4.76.0

References

https://docs.docker.com/desktop/release-notes/#4760

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 19, 2026

Credit

Nitesh Surana of TrendAI Research of Trend Micro

CVE-2026-8936 Data

JSON