CVE-2026-42306
Analyzed Analyzed - Analysis Complete

Race Condition in Docker Engine Allows Host File Overwrite

Vulnerability report for CVE-2026-42306, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
docker engine to 29.5.1 (exc)
mobyproject moby to 28.5.2 (inc)
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0
mobyproject moby/v2 2.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42306 is a race condition vulnerability in Docker's `docker cp` command that affects Docker Engine versions prior to 29.5.1 and Moby Daemon versions prior to 2.0.0-beta.14.

During the setup of a temporary filesystem view when copying files into a container, there is a timing window between creating the mountpoint and the mount system call. A malicious container can exploit this window by replacing the destination or a parent path component with a symbolic link pointing to an arbitrary host path.

This causes the bind mount to be attached to an unintended host path, potentially allowing the container to overwrite host files or cause denial of service.

Exploitation requires a container with at least one volume mount, the ability to rapidly create and swap symlinks, and an operator initiating a `docker cp` or using the archive API endpoints.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can have serious impacts depending on the permissions of the volume mounts involved.

  • If the volume is writable, a malicious container can overwrite arbitrary files on the host system, potentially leading to data loss or system compromise.
  • If the volume is read-only, the attacker can mask host paths, causing denial of service by disrupting expected file access.

The effects of any writes persist even though the mount is temporary, meaning damage can be lasting.

Overall, this can lead to high integrity and availability impacts on the host system.

Detection Guidance

Detection of this vulnerability involves identifying if Docker Engine or Moby Daemon versions prior to the patched versions are in use, and monitoring for suspicious activity related to the `docker cp` command or archive API endpoints.

Specifically, you can check the installed Docker or Moby versions with commands like:

  • `docker version` - to check Docker Engine version.
  • `moby version` or checking the Moby daemon version if applicable.

Additionally, monitoring for rapid creation and swapping of symlinks inside containers with volume mounts, and unusual usage of `docker cp` or archive API endpoints, may help detect exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using the `docker cp` command with untrusted containers.
  • Run only trusted container images to reduce the risk of exploitation.
  • Restrict access to the archive API endpoints to prevent unauthorized use.
  • Upgrade Docker Engine to version 29.5.1 or later, or Moby Daemon to version 2.0.0-beta.14 or later, where the vulnerability is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart