Summary
In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where --ipv6=false.
Workarounds
To completely disable IPv6 in a container, use --sysctl=net.ipv6.conf.all.disable_ipv6=1 in the docker create or docker run command. Or, in the service configuration of a compose file, the equivalent:
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
References
- sysctl configuration using
docker run: - sysctl configuration using
docker compose:
Impact
A container with an ipvlan or macvlan interface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled:
- Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses.
- If router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses.
- The interface will be a member of IPv6 multicast groups.
This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface.
A container with an unexpected IPv6 address can do anything a container configured with an IPv6 address can do. That is, listen for connections on its IPv6 address, open connections to other nodes on the network over IPv6, or attempt a DoS attack by flooding packets from its IPv6 address. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L (2.7).
Because the container may not be constrained by an IPv6 firewall, there is increased potential for data exfiltration from the container. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (4.7).
A remote attacker could send malicious Router Advertisements to divert traffic to itself, a black-hole, or another device. The same attack is possible today for IPv4 macvlan/ipvlan endpoints with ARP spoofing, TLS is commonly used by Internet APIs to mitigate this risk. The presence of an IPv6 route could impact the container's availability by indirectly abusing the behaviour of software which behaves poorly in a dual-stack environment. For example, it could resolve a name to a DNS AAAA record and keep trying to connect over IPv6 without ever falling back to IPv4, potentially denying service to the container. This has CVSS score AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.5).
CVE-2024-32473 has a CVSS score of 4.7 (Medium). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (26.0.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The issue is patched in 26.0.2.
Frequently Asked Questions
- What is CVE-2024-32473? CVE-2024-32473 is a medium-severity security vulnerability in github.com/docker/docker (go), affecting versions >= 26.0.0, < 26.0.2. It is fixed in 26.0.2.
- How severe is CVE-2024-32473? CVE-2024-32473 has a CVSS score of 4.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/docker/docker are affected by CVE-2024-32473? github.com/docker/docker (go) versions >= 26.0.0, < 26.0.2 is affected.
- Is there a fix for CVE-2024-32473? Yes. CVE-2024-32473 is fixed in 26.0.2. Upgrade to this version or later.
- Is CVE-2024-32473 exploitable, and should I be worried? Whether CVE-2024-32473 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-32473 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-32473? Upgrade
github.com/docker/dockerto 26.0.2 or later.