CVE-2026-41568
published 2026-06-12CVE-2026-41568: Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version…
PriorityP429medium6.1CVSS 3.1
AVLACHPRLUIRSCCNILAH
EPSS
0.11%
1.5th percentile
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Affected
316 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| ansible-automation-platform-24 | aap-must-gather-rhel8 | — | — |
| ansible-automation-platform-25 | aap-must-gather-rhel8 | — | — |
| ansible-automation-platform-26 | aap-must-gather-rhel9 | — | — |
| ansible-automation-platform-27 | aap-must-gather-rhel9 | — | — |
| ansible-automation-platform-27 | ansible-devspaces-rhel9 | — | — |
| ansible-automation-platform-tech-preview | ansible-devspaces-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| aquasecurity | trivy | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| buildah_project | buildah | — | — |
| container-native-virtualization | cnv-must-gather-rhel8 | — | — |
| container-native-virtualization | cnv-must-gather-rhel9 | — | — |
| container-native-virtualization | virt-cdi-importer | — | — |
| container-native-virtualization | virt-cdi-importer-rhel9 | — | — |
| container-native-virtualization | virt-cdi-uploadserver | — | — |
| container-native-virtualization | virt-cdi-uploadserver-rhel9 | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | skopeo | — | — |
| devspaces | traefik-rhel9 | — | — |
| devspaces | udi-base-rhel10 | — | — |
| devspaces | udi-base-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| docker | engine | < 29.5.1 | 29.5.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Moby cross site scripting (GHSA-vp62-88p7-qqf5 / EUVD-2026-36527)
vuldb·2026-06-12·CVSS 6.1
CVE-2026-41568 [MEDIUM] Moby cross site scripting (GHSA-vp62-88p7-qqf5 / EUVD-2026-36527)
A vulnerability was found in Moby. It has been classified as problematic. Impacted is an unknown function. Performing a manipulation results in improper neutralization of script in an error message web page.
This vulnerability was named CVE-2026-41568. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
ghsa·2026-05-18
CVE-2026-41568 [MEDIUM] CWE-367 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
## Summary
A race condition during `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
This advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked in GHSA-rg2x-37c3-w2rh
## Details
When copying files into a container, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace. During this setup, the mount destination path is first resolved within the container's root filesystem using `GetResourcePath`, and then used to create the mountpoint (file or directory) if it does not already exist
Red Hat
github.com/docker/docker: github.com/moby/moby: Moby: Denial of Service via race condition in docker cp mount setup
vendor_redhat·2026-06-12·CVSS 6.1
CVE-2026-41568 [MEDIUM] CWE-367 github.com/docker/docker: github.com/moby/moby: Moby: Denial of Service via race condition in docker cp mount setup
github.com/docker/docker: github.com/moby/moby: Moby: Denial of Service via race condition in docker cp mount setup
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
A flaw was found in the Moby container framework. A race condition during the `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary locations on the host filesystem. This vulnerability can lead t
No detection rules found.
No public exploits indexed.
2026-06-12
Published