Security Advisory - Published 2026-06-13 - Docker / Moby

Moby Docker CVE-2026-42306: daemon, firewall, and container network check

Hosts running Docker Engine before the fixed release should check daemon version, container network exposure, and host firewall assumptions. This matters most on VPS, CI runners, shared build hosts, and servers that publish container ports directly.

Defensive scope: this guide covers version confirmation, firewall review, container inventory, and upgrade validation. It does not include container breakout or network-bypass steps.

Checks to run

docker version
docker info
docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Ports}}"
iptables -S 2>/dev/null | head -80
nft list ruleset 2>/dev/null | head -120

Confirm the daemon version, not just the Docker CLI version. If the host is managed by a panel, CI system, or cloud image, check the package source before assuming automatic updates already landed.

Safe fix path

  1. Upgrade Docker Engine to 29.5.1 or the vendor-fixed package for the host.
  2. Review published ports and remove containers that do not need internet exposure.
  3. Confirm host firewall rules after the daemon restart.
  4. Review CI runners and build agents separately; they often lag behind production hosts.

Ping7 repair path

Ping7 can review Docker daemon versions, published ports, host firewall state, and post-upgrade service health. Use CVE Repair for owned servers or client-approved container hosts.

References