CVE Catalog

CVE-2026-41568

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.

Risk Assessment

This vulnerability may lead to unauthorized access to the host filesystem, potentially resulting in data loss or system integrity breaches.

Recommendation

It is recommended to upgrade to Docker Engine version 29.5.1 or Moby Daemon version 2.0.0-beta.14 to mitigate this vulnerability.

Original NVD description (English source)

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS