These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-12039 is a medium-severity vulnerability in Docker Sandboxes (sbx) that allows data exfiltration through a DNS covert channel. The sandbox enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution. This means a workload inside a sandbox, considered untrusted, can encode data into DNS labels for an attacker-controlled domain and exfiltrate it through a DNS covert channel, by [truncated]
A vulnerability in Docker Desktop's Enhanced Container Isolation (ECI) feature allows local attackers to bypass container restrictions and gain unauthorized access to the Docker Engine socket. The flaw exists because ECI enforcement in the Docker Desktop API proxy only inspected the HostConfig.Binds field for Docker socket mounts, while the --use-api-socket CLI flag added mounts via the HostConfig.Mounts [truncated]
CVE-2019-15752 is a Docker Desktop Community Edition privilege escalation vulnerability that CISA added to its Known Exploited Vulnerabilities catalog. Because it is treated as known exploited, organizations running affected Docker Desktop Community Edition installations should prioritize remediation using vendor update guidance.
CVE-2016-9962 describes a container-runtime isolation flaw in which additional processes started through runc exec could be ptraced by PID 1 inside the container during initialization. According to the record, that timing window could expose file descriptors and allow modification of runC state or container escape. NVD rates the issue CVSS 6.4 (medium), but the impact is serious for affected hosts because [truncated]