Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
CVE-2026-41568

6.1MEDIUM

Key Information:

Vendor: Moby
Status: Moby
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-41568?

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Affected Version(s)

moby github.com/docker/docker/daemon <= 28.5.2 <= github.com/docker/docker/daemon 28.5.2

moby Docker Engine < 29.5.1 < Docker Engine 29.5.1

moby github.com/moby/moby/v2/daemon < 2.0.0-beta.14 < github.com/moby/moby/v2/daemon 2.0.0-beta.14

References

https://github.com/moby/moby/security/advisories/GHSA-vp6...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41568 Data

JSON