Description
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Published: 2026-06-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Docker "docker cp" mount setup allows a malicious container to create empty files or directories at any absolute path on the host filesystem. The resulting unauthorized file creation can undermine host integrity and serve as a foothold for further exploitation.

Affected Systems

The vulnerability affects Moby Daemon versions prior to 2.0.0‑beta.14 and Docker Engine versions earlier than 29.5.1 (including Docker daemon 28.5.2 and earlier).

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and an EPSS score of less than 1% implies a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Attackers would need a container that can invoke "docker cp" and control symlink placement; the race condition occurs during mount setup and is mitigated by the patch.

Generated by OpenCVE AI on June 12, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Docker Engine to 29.5.1 or later, or upgrade Moby Daemon to 2.0.0‑beta.14 or later.
  • Run containers with the least privileges possible, disable the use of "docker cp" from inside containers, and avoid mounting host paths that accept symlinks.
  • Use Docker user namespaces or read‑only root filesystems for containers to limit their ability to modify the host, reducing the potential impact of any race condition.

Generated by OpenCVE AI on June 12, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp62-88p7-qqf5 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby moby
Vendors & Products Moby
Moby moby

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Title Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Weaknesses CWE-367
CWE-81
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H'}

Subscriptions

Moby Moby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:01:58.963Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41568

cve-icon Vulnrichment

Updated: 2026-06-12T20:01:55.279Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:26.907

Modified: 2026-06-12T19:16:26.907

Link: CVE-2026-41568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-81

    Improper Neutralization of Script in an Error Message Web Page