Description
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Published: 2026-06-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition (CWE-367) in the docker cp mount setup allows a malicious container to redirect a bind mount to an arbitrary host path, effectively performing an absolute path traversal (CWE-61). The attacker can overwrite critical host files or cause a denial of service.

Affected Systems

The vulnerability affects Docker Engine (Moby) versions prior to 29.5.1 and Docker Daemon 28.5.2 and earlier, as well as Moby Daemon versions before 2.0.0-beta.14.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The issue is not listed in the CISA KEV catalog. The likely attack vector involves a malicious container executing docker cp or similar operations that exploit the race condition; an attacker with container runtime privileges can redirect a bind mount and overwrite host files.

Generated by OpenCVE AI on June 12, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Docker Engine to version 29.5.1 or later, or update Moby Daemon to 2.0.0-beta.14 or newer.
  • When an update cannot be applied immediately, restrict containers from using docker cp and disallow bind mounts by applying security profiles or runtime flags.
  • As a temporary workaround, run containers with the ‑‑read‑only flag and avoid using bind mounts to critical host paths.

Generated by OpenCVE AI on June 12, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rg2x-37c3-w2rh Docker: Race condition in docker cp allows bind mount redirection to host path
History

Sat, 13 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby moby
Vendors & Products Moby
Moby moby

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Title Moby: Race condition in docker cp allows bind mount redirection to host path
Weaknesses CWE-367
CWE-61
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H'}

Subscriptions

Moby Moby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T03:25:47.055Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42306

cve-icon Vulnrichment

Updated: 2026-06-13T03:25:41.422Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:27.490

Modified: 2026-06-12T19:16:27.490

Link: CVE-2026-42306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:00:20Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-61

    UNIX Symbolic Link (Symlink) Following