PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12539 Docker CVE debrief

CVE-2026-12539 is a MEDIUM severity vulnerability in Docker Sandboxes (sbx) that allows a restart-surviving sandbox to forward ICMP to arbitrary hosts. This enables a workload inside the sandbox to perform network reconnaissance and exfiltrate data over an ICMP covert channel. Users of Docker Sandboxes (sbx) should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing and updating their network configurations and ensuring that their Docker daemon is properly configured to prevent unauthorized ICMP egress.

Vendor
Docker
Product
Docker Sandboxes
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-30
Advisory published
2026-06-18
Advisory updated
2026-06-30

Who should care

Users of Docker Sandboxes (sbx), including developers, system administrators, and security teams, should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing and updating their network configurations, verifying Docker daemon configuration, and monitoring network activity for suspicious ICMP traffic.

Technical summary

The vulnerability is caused by the fact that the authorizer is only applied at network-creation time and not re-applied when the Docker daemon restarts. This allows a restart-surviving sandbox to forward ICMP to arbitrary hosts, enabling a workload inside the sandbox to perform network reconnaissance and exfiltrate data over an ICMP covert channel. The issue affects Docker Sandboxes (sbx) and can be exploited by a workload inside a sandbox, which is treated as untrusted. The vulnerability can be mitigated by reviewing and updating network configurations, verifying Docker daemon configuration, and monitoring network activity for suspicious ICMP traffic.

Defensive priority

MEDIUM

Recommended defensive actions

  • Review and update network configurations to ensure proper ICMP egress blocking
  • Verify Docker daemon configuration to prevent unauthorized ICMP egress
  • Monitor network activity for suspicious ICMP traffic
  • Apply vendor-provided patches or updates when available
  • Perform a thorough review of the Docker sandbox environment to identify potential exposure
  • Conduct regular security audits to detect and address any vulnerabilities
  • Implement additional compensating controls to mitigate the risk of exploitation

Evidence notes

The CVE record was published on 2026-06-18T14:17:22.510Z and was last modified on 2026-06-30T17:16:20.793Z. The NVD entry is currently Awaiting Analysis. This information is based on the provided source corpus and may be subject to change as new information becomes available. Users should verify the status of CVE-2026-12539 with the official CVE and NVD sources for the most up-to-date information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T14:17:22.510Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.