CVE-2026-42306
published 2026-06-12CVE-2026-42306: Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version…
PriorityP337high7.2CVSS 3.1
AVLACHPRLUIRSCCNIHAH
EPSS
0.10%
1.3th percentile
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| docker | engine | < 29.5.1 | 29.5.1 |
| github.com | docker_docker | 0 – 28.5.2 | — |
| github.com | moby_moby | 0 – 28.5.2 | — |
| github.com | moby_moby_v2 | >= 0 < 2.0.0-beta.14 | 2.0.0-beta.14 |
| moby | moby | — | — |
| moby | moby | — | — |
| moby | moby | — | — |
| mobyproject | moby | <= 28.5.2 | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
| mobyproject | moby_v2 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Moby symlink (GHSA-rg2x-37c3-w2rh)
vuldb·2026-06-12·CVSS 7.2
CVE-2026-42306 [HIGH] Moby symlink (GHSA-rg2x-37c3-w2rh)
A vulnerability was found in Moby. It has been declared as critical. The affected element is an unknown function. Executing a manipulation can lead to symlink following.
The identification of this vulnerability is CVE-2026-42306. The attack can only be executed locally. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
Docker: Race condition in docker cp allows bind mount redirection to host path
ghsa·2026-05-18
CVE-2026-42306 [HIGH] CWE-367 Docker: Race condition in docker cp allows bind mount redirection to host path
Docker: Race condition in docker cp allows bind mount redirection to host path
## Summary
A race condition during `docker cp` mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service.
## Details
When copying files into a container, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace. During this setup, the mount destination is created inside the container root and then a bind mount is attached using the container-relative path resolved to an absolute host path.
Between mountpoint creation and the `mount()` syscall, a process running inside the container can replace the destination (or a parent path component) with a symlink point
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published