CVE-2026-12039 Docker CVE debrief

Who should care

Users of Docker Sandboxes (sbx) should be aware of this vulnerability and take necessary precautions to prevent data exfiltration. This includes reviewing and updating their egress allowlists and monitoring DNS traffic for suspicious activity.

Technical summary

The Docker Sandbox (sbx) enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution. The per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. This allows a workload inside a sandbox to encode data into DNS labels for an attacker-controlled domain and exfiltrate it through a DNS covert channel, bypassing the configured allowlist.

Defensive priority

medium

Recommended defensive actions

• Review and update egress allowlists to ensure they are comprehensive and up-to-date.
• Monitor DNS traffic for suspicious activity.
• Implement additional security measures to detect and prevent data exfiltration.
• Consider using alternative DNS resolution methods that can be more tightly controlled.
• Keep Docker Sandboxes (sbx) and related software up to date with the latest security patches.
• Conduct regular security audits and risk assessments to identify potential vulnerabilities.

Evidence notes

The information provided is based on the CVE record and NVD detail for CVE-2026-12039. The vulnerability was published on June 18, 2026, and has a CVSS score of 5.7. The Docker Sandbox (sbx) documentation and release notes may provide additional information on the vulnerability and potential mitigations.

Official resources