CVE-2026-42306
Received Received - Intake
Race Condition in Docker Engine Allows Host File Overwrite

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-42306
EUVD
EUVD-2026-36528
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
docker docker_engine to 29.5.1 (exc)
docker docker_daemon to 28.5.2 (exc)
moby moby_daemon to 2.0.0-beta.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42306 is a race condition vulnerability in Docker's `docker cp` command that affects Docker Engine versions prior to 29.5.1 and Moby Daemon versions prior to 2.0.0-beta.14.

During the setup of a temporary filesystem view when copying files into a container, there is a timing window between creating the mountpoint and the mount system call. A malicious container can exploit this window by replacing the destination or a parent path component with a symbolic link pointing to an arbitrary host path.

This causes the bind mount to be attached to an unintended host path, potentially allowing the container to overwrite host files or cause denial of service.

Exploitation requires a container with at least one volume mount, the ability to rapidly create and swap symlinks, and an operator initiating a `docker cp` or using the archive API endpoints.

Impact Analysis

This vulnerability can have serious impacts depending on the permissions of the volume mounts involved.

  • If the volume is writable, a malicious container can overwrite arbitrary files on the host system, potentially leading to data loss or system compromise.
  • If the volume is read-only, the attacker can mask host paths, causing denial of service by disrupting expected file access.

The effects of any writes persist even though the mount is temporary, meaning damage can be lasting.

Overall, this can lead to high integrity and availability impacts on the host system.

Detection Guidance

Detection of this vulnerability involves identifying if Docker Engine or Moby Daemon versions prior to the patched versions are in use, and monitoring for suspicious activity related to the `docker cp` command or archive API endpoints.

Specifically, you can check the installed Docker or Moby versions with commands like:

  • `docker version` - to check Docker Engine version.
  • `moby version` or checking the Moby daemon version if applicable.

Additionally, monitoring for rapid creation and swapping of symlinks inside containers with volume mounts, and unusual usage of `docker cp` or archive API endpoints, may help detect exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using the `docker cp` command with untrusted containers.
  • Run only trusted container images to reduce the risk of exploitation.
  • Restrict access to the archive API endpoints to prevent unauthorized use.
  • Upgrade Docker Engine to version 29.5.1 or later, or Moby Daemon to version 2.0.0-beta.14 or later, where the vulnerability is patched.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart