CVE-2026-5843

HIGH

Docker Model Runner container-to-host code execution via MLX-LM model_file importlib loading

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-5843. PoCs published by davidrxchester.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-5843, which leverages a malicious OCI registry to serve a model that exploits the `model_file` importlib execution path in mlx-lm, leading to remote code execution on the host system when Docker Model Runner loads the model for inference.

Description

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.

Exploits (1)

github WORKING POC

by davidrxchester · pythonpoc

https://github.com/davidrxchester/CVE-2026-5843

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-5843, which leverages a malicious OCI registry to serve a model that exploits the `model_file` importlib execution path in mlx-lm, leading to remote code execution on the host system when Docker Model Runner loads the model for inference.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Docker Desktop <= 4.70.x (Apple Silicon)

No auth needed

Prerequisites: Docker Desktop with Model Runner enabled · Apple Silicon hardware · Network access to the malicious registry

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 23, 2026 Full analysis →

References (1)

Core 1

Core References

Release Notes release-notes

https://docs.docker.com/desktop/release-notes/#4710

Scores

CVSS v3 8.2

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-829

Status published

Products (2)

Docker/Docker Desktop 4.56.0 - 4.71.0

docker/docker_desktop 4.56.0 - 4.71.0

Published May 22, 2026

Tracked Since May 23, 2026