CVE-2025-14740

Name of the Vulnerable Software and Affected Versions Docker Desktop for Windows (affected versions not specified)

Description Docker Desktop for Windows has permission assignment issues in the installer’s handling of the C:ProgramDataDockerDesktop directory. The installer does not properly verify ownership when creating this directory, leading to potential exploitation scenarios. An attacker who pre-creates the C:ProgramDataDockerDesktop directory before installation can retain ownership, even after the installer applies restrictive ACLs. This allows the attacker to modify directory ACLs and tamper with critical configuration files like install-settings.json, potentially specifying a malicious credentialHelper and leading to arbitrary code execution when Docker Desktop is run. A time-of-check-time-of-use (TOCTOU) race condition exists during installation, allowing an attacker to inject malicious files, such as install-settings.json, with attacker-controlled ACLs before secure ACLs are set, resulting in the same code execution outcome.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.