Add security notices regarding CVE-2025-10657. (#23476)

ctalledo · web-flow · commit 47546555f87d · 2025-10-01T08:10:23.000+01:00
## Description Add notices to the 4.47.0 release notes and the security announcements page. ## Reviews   - [ ] Technical review - [X] Editorial review - [ ] Product review Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md
@@ -40,6 +40,10 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 
 {{< desktop-install-v2 all=true win_arm_release="Early Access" version="4.47.0" build_path="/206054/" >}}
 
+### Security
+
+- Fixed [CVE-2025-10657](https://www.cve.org/CVERecord?id=CVE-2025-10657) where the Enhanced Container Isolation [Docker Socket command restrictions](../enterprise/security/hardened-desktop/enhanced-container-isolation/config.md#command-restrictions) feature was not working properly in Docker Desktop 4.46.0 only (the configuration for it was being ignored).
+
 ### New
 
 - Added dynamic MCP server discovery and support to Docker's MCP catalog.
@@ -85,7 +89,7 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 ### New
 
 - Added a new Learning center walkthrough for Docker MCP Toolkit and other onboarding improvements.
-- Administrators can now control [PAC configurations with Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md#proxy-settings). 
+- Administrators can now control [PAC configurations with Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md#proxy-settings).
 - The update experience has been redesigned to make it easier to understand and manage updates for Docker Desktop and its components.
 
 ### Upgrades
@@ -107,7 +111,7 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 
 #### For Windows
 
-- Improved the security of Docker Model Runner by enabling sandboxing of the `llama.cpp` inference processes. 
+- Improved the security of Docker Model Runner by enabling sandboxing of the `llama.cpp` inference processes.
 
 #### For Linux
 
@@ -156,7 +160,7 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 
 {{< desktop-install-v2 all=true win_arm_release="Early Access" version="4.44.3" build_path="/202357/" >}}
 
-### Security 
+### Security
 
 - Fixed [CVE-2025-9074](https://www.cve.org/CVERecord?id=CVE-2025-9074) where a malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted. This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability.
 
@@ -219,7 +223,7 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo
 - [Docker Model CLI v0.1.36](https://github.com/docker/model-cli/releases/tag/v0.1.36)
 - [Docker Desktop CLI v0.2.0](/manuals/desktop/features/desktop-cli.md)
 
-### Security 
+### Security
 
 We are aware of [CVE-2025-23266](https://nvd.nist.gov/vuln/detail/CVE-2025-23266), a critical vulnerability affecting the NVIDIA Container Toolkit in CDI mode up to version 1.17.7. Docker Desktop includes version 1.17.8, which is not impacted. However, older versions of Docker Desktop that bundled earlier toolkit versions may be affected if CDI mode was manually enabled. Uprade to Docker Desktop 4.44 or later to ensure you're using the patched version.
 
diff --git a/content/manuals/security/security-announcements.md b/content/manuals/security/security-announcements.md
@@ -12,6 +12,12 @@ toc_max: 2
 
 {{< rss-button feed="/security/security-announcements/index.xml" text="Subscribe to security RSS feed" >}}
 
+## Docker Desktop 4.47.0 security update: CVE-2025-10657
+
+A vulnerability in Docker Desktop was fixed on September 25 in the [4.47.0](/manuals/desktop/release-notes.md#4470) release:
+
+- Fixed [CVE-2025-10657](https://www.cve.org/CVERecord?id=CVE-2025-10657) where the Enhanced Container Isolation [Docker Socket command restrictions](../enterprise/security/hardened-desktop/enhanced-container-isolation/config.md#command-restrictions) feature was not working properly in Docker Desktop 4.46.0 only (the configuration for it was being ignored).
+
 ## Docker Desktop 4.44.3 security update: CVE-2025-9074
 
 _Last updated August 20, 2025_
