CVE Catalog

CVE-2026-12039

MediumCVSS 5.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

A vulnerability in Docker Sandboxes (sbx) allows bypassing the HTTP/S-only egress allowlist via DNS tunneling. The embedded DNS server forwards queries to the host resolver without policy enforcement, enabling untrusted workloads to exfiltrate data encoded in DNS labels.

Risk Assessment

The organization risks data exfiltration from containers considered untrusted in the threat model through a DNS covert channel, circumventing configured network security rules.

Recommendation

Update Docker Sandboxes to a version where the allowlist policy is also applied to DNS queries, or temporarily restrict access to external DNS servers for container networks.

Original NVD description (English source)

Docker Sandboxes (sbx) enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which the threat model treats as untrusted, can therefore encode data into DNS labels for an attacker-controlled domain and exfiltrate it through a DNS covert channel, bypassing the configured allowlist.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS