Akerouanton

**Name of the Vulnerable Software and Affected Versions** Moby versions 26.0.0 through 26.0.1 **Description** Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In versions 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. This allows containers with an `ipvlan` or `macvlan` interface to share an external network link with the host machine, potentially enabling them to communicate with other hosts on the local network over link-local IPv6 addresses, obtain SLAAC-assigned addresses if router advertisements are being broadcast, and become members of IPv6 multicast groups. This presents an unexpectedly and unnecessarily increased attack surface in IPv4-only networks. **Recommendations** To completely disable IPv6 in a container for versions 26.0.0 and 26.0.1, use `--sysctl=net.ipv6.conf.all.disable ipv6=1` in the `docker create` or `docker run` command. Alternatively, in the service configuration of a `compose` file, add the following: ``` sysctls: - net.ipv6.conf.all.disable ipv6=1 ``` For version 26.0.2 and later, no additional action is required as the issue is patched.