Docker: Rights escalation gap in Desktop for Windows

Updated Docker Desktop software packages close a security gap that could allow attackers to extend their rights in the system. The Windows version of the container software is affected.

In the release notes, the Docker developers write that version 4.41.0 closes a security vulnerability that allows attackers with access to the machine to extend access rights when Docker Desktop installs updates(CVE-2025-3224, CVSS 7.3, risk “high”).

Update process as a gateway

During an update, Docker Desktop attempts to delete files and subfolders in the path “C:\ProgramData\Docker\config” with elevated rights. However, this directory does not usually exist by default. “C:\ProgramData\” also allows users with basic access rights to create a malicious “Docker\config” folder structure. This allows attackers to trick the privileged update process into deleting or manipulating arbitrary system files, resulting in elevated privileges.

A description of how privilege escalation generally works with file deletion is provided by Trend Micro's Zero-Day Initiative. The updated version brings several other new features. For example, Docker Desktop is now available in Microsoft's app store –, which is useful because the store automatically updates the locally installed software.

The release notes linked above also list numerous smaller bug fixes and enhancements. Some affect all supported platforms, such as the fact that DockerVMM created an excessive number of open file handles on the host system. Under macOS, a bug is said to have been fixed that caused an increased CPU load. In addition to the download and installation from the Microsoft Store, the Docker developers offer direct downloads of the updated Docker desktop installation file for Windows, Windows ARM, Mac with Apple Silicon, Intel-Mac and ready-to-use packages for Debian, as RPM or Arch.

(dmk)