FKIE_CVE-2025-14740

Vulnerability from fkie_nvd - Published: 2026-02-04 14:16 - Updated: 2026-02-04 16:33
Severity ?
6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1 (Persistent Attack): If a low-privileged attacker pre-creates C:\ProgramData\DockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop. Scenario 2 (TOCTOU Attack): During installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:\ProgramData\DockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome.
References
security@docker.comhttps://docs.docker.com/security/
security@docker.comhttps://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/
security@docker.comhttps://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer\u0027s handling of the C:\\ProgramData\\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios:\n\nScenario 1 (Persistent Attack):\nIf a low-privileged attacker pre-creates C:\\ProgramData\\DockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop.\n\nScenario 2 (TOCTOU Attack):\nDuring installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:\\ProgramData\\DockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome."
    },
    {
      "lang": "es",
      "value": "Docker Desktop para Windows contiene m\u00faltiples vulnerabilidades de asignaci\u00f3n de permisos incorrecta en el manejo por parte del instalador del directorio C:\\ProgramData\\DockerDesktop. El instalador crea este directorio sin la verificaci\u00f3n adecuada de la propiedad, creando dos escenarios de explotaci\u00f3n:\n\nEscenario 1 (Ataque Persistente):\nSi un atacante con privilegios bajos pre-crea C:\\ProgramData\\DockerDesktop antes de la instalaci\u00f3n de Docker Desktop, el atacante retiene la propiedad del directorio incluso despu\u00e9s de que el instalador aplique ACL restrictivas. En cualquier momento despu\u00e9s de que la instalaci\u00f3n se complete, el atacante puede modificar la ACL del directorio (como propietario) y manipular archivos de configuraci\u00f3n cr\u00edticos como install-settings.json para especificar un credentialHelper malicioso, causando ejecuci\u00f3n de c\u00f3digo arbitrario cuando cualquier usuario ejecuta Docker Desktop.\n\nEscenario 2 (Ataque TOCTOU):\nDurante la instalaci\u00f3n, existe una condici\u00f3n de carrera (TOCTOU) de tiempo de verificaci\u00f3n-tiempo de uso entre el momento en que el instalador crea C:\\ProgramData\\DockerDesktop y el momento en que establece ACL seguras. Un atacante con privilegios bajos que monitorea activamente la instalaci\u00f3n puede inyectar archivos maliciosos (como install-settings.json) con ACL controladas por el atacante durante esta ventana, logrando el mismo resultado de ejecuci\u00f3n de c\u00f3digo."
    }
  ],
  "id": "CVE-2025-14740",
  "lastModified": "2026-02-04T16:33:44.537",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "security@docker.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-04T14:16:08.533",
  "references": [
    {
      "source": "security@docker.com",
      "url": "https://docs.docker.com/security/"
    },
    {
      "source": "security@docker.com",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/"
    },
    {
      "source": "security@docker.com",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/"
    }
  ],
  "sourceIdentifier": "security@docker.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security@docker.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.