In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can utilize the command restrictions  feature https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/config/#command-restrictions  to restrict commands that a container with a Docker socket mount may issue on that socket.
Due to a software bug, the configuration to restrict commands was ignored when passed to ECI, allowing any command to be executed on the socket. This grants excessive privileges by permitting unrestricted access to powerful Docker commands.
The vulnerability affects only Docker Desktop 4.46.0 users that have ECI enabled and are using the Docker socket command restrictions feature. In addition, since ECI restricts mounting the Docker socket into containers by default, it only affects containers which are explicitly allowed by the administrator to mount the Docker socket.
                
            CVSS
                No CVSS.
References
                    | Link | Resource | 
|---|---|
| https://docs.docker.com/desktop/release-notes | 
Configurations
                    No configuration.
History
                    26 Sep 2025, 21:15
| Type | Values Removed | Values Added | 
|---|---|---|
| New CVE | 
Information
                Published : 2025-09-26 21:15
Updated : 2025-09-29 19:34
NVD link : CVE-2025-10657
Mitre link : CVE-2025-10657
CVE.ORG link : CVE-2025-10657
JSON object : View
Products Affected
                No product.
CWE
                
                    
                        
                        CWE-269
                        
            Improper Privilege Management
