Error in Docker Model Runner allows sandbox escape on macOS

If attackers successfully exploit a security vulnerability in Docker on macOS, they can break out of the sandbox and execute malicious code on the host system. A version equipped against this is available for download.

The security vulnerability

In a warning message, the developers explain that the vulnerability (CVE-2026-5843 “high”) in Docker Model Runner is related to loading and executing local LLMs. This allows attackers to trick the component into loading an AI model infected with malicious code. However, they must have network access to containers for this.

The security problem specifically lies in the handling of Python code in this context. Because no verification takes place, an LLM is loaded directly without a security query. On macOS, Apple's MLX framework handles local AI models. In this case, MLX reads the config.json and directly executes malicious_script.py. Because MLX runs outside the Docker environment without a sandbox directly at the system level, attackers can execute their code with the user's privileges.

The developers state that Docker from version 4.56.0 is affected. They assure that they have resolved the security issue in version 4.71.0. So far, there are no reports of attackers exploiting the vulnerability. The version has been available since April of this year. However, concrete information about the vulnerability has only recently become known.

Currently, version 4.75.0 is available, in which the developers have fixed various bugs on macOS and Windows. In 4.72.0, they closed the Linux kernel security vulnerability “Copy Fail” (CVE-2026-31432 “high”). The Copy Fail vulnerability is already being exploited, and attackers use it to compromise systems as root users. Therefore, administrators should ensure that an up-to-date version is installed on their systems.

(des)