Docker Model Runner macOS CVEs CVE-2026-5843

Docker had already patched both macOS Docker Model Runner bugs before the CVE identifiers circulated widely on May 22. Docker’s security announcements page says Docker Desktop 4.68.0, released April 7, addressed CVE-2026-5817 in the vllm-metal inference backend, and Docker Desktop 4.71.0, released April 27, addressed CVE-2026-5843 in the MLX inference backend. (docs.docker.com) (app.opencve.io) Docker Model Runner is Docker’s local AI model runtime for Docker Desktop and Docker Engine. Docker says the feature can pull models from Docker Hub, Hugging Face and other OCI-compliant registries, then serve them through OpenAI- and Ollama-compatible APIs. (docs.docker.com) The result is a security story that is narrower than “Docker on macOS” but serious for people using Model Runner on Apple Silicon. The affected path is the macOS Model Runner setup that uses MLX-related backends, including Docker’s vllm-metal support introduced for Apple Silicon in February. (docs.docker.com) ### Which Docker component is actually affected? Docker’s own documentation names Docker Model Runner, not the core container engine, as the affected feature. Docker says Model Runner is an AI-focused component that pulls models from registries and runs them locally through dedicated inference engines. (docs.docker.com) On macOS, Docker added vllm-metal support on February 26 to bring vLLM inference to Apple Silicon through Metal. Docker said that stack uses MLX as the primary inference layer under the vLLM plugin path on macOS. (docs.docker.com) ### What do CVE-2026-5843 and CVE-2026-5817 say happened? Docker’s security page describes both issues in the same broad category: “container-to-host code execution.” CVE-2026-5817 covers the Docker Model Runner vllm-metal inference backend, while CVE-2026-5843 covers the Docker Model Runner MLX inference backend. (docs.docker.com) OpenCVE’s entry for CVE-2026-5843 says the MLX backend on macOS could import and execute arbitrary Python files specified by a model configuration field, and that the code would run as the Docker Desktop user. The entry assigns CVSS 8.8 and says any container able to access the Model Runner API could trigger the vulnerable path by pulling a malicious model from an attacker-controlled OCI registry. (docker.com) Because Docker’s advisory for CVE-2026-5817 is brief, the most concrete official detail there is the affected component and the fix version. Docker says that issue was fixed in Docker Desktop 4.68.0 on April 7. (docs.docker.com) ### Why does the registry path matter here? Docker says Model Runner is designed to pull models from Docker Hub, Hugging Face and any OCI-compliant registry. That architecture matters because the documented exploit path for CVE-2026-5843 depends on Model Runner retrieving a malicious model artifact and loading it through the vulnerable backend. (app.opencve.io) OpenCVE says the trigger path runs through the `model-runner.docker.internal` API and an attacker-controlled OCI registry. That means the exposure is tied to systems where Model Runner is enabled and reachable by containers, not to every Docker Desktop installation in the abstract. (docs.docker.com) ### What should macOS users check right now? Docker’s release notes show current Docker Desktop versions extend beyond both fixes, and the security page identifies 4.68.0 and 4.71.0 as the minimum patched releases for these two CVEs. Users on older macOS Docker Desktop builds with Model Runner enabled should verify whether they are below those versions. (docs.docker.com) Docker also documents a `docker desktop disable model-runner` command. For teams not using the feature, that gives a documented way to turn it off while they verify versions and exposure. (app.opencve.io) Docker’s security announcements page remains the primary place to track any follow-up notices, and Docker’s release-notes page lists the newer Desktop builds available after 4.71.0. (docs.docker.com 1) (docs.docker.com 2)