Moby: Race condition in docker cp allows bind mount redirection to host path
CVE-2026-42306

7.2HIGH

Key Information:

Vendor: Moby
Status: Moby
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-42306?

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Affected Version(s)

moby github.com/docker/docker/daemon <= 28.5.2 <= github.com/docker/docker/daemon 28.5.2

moby Docker Engine < 29.5.1 < Docker Engine 29.5.1

moby github.com/moby/moby/v2/daemon < 2.0.0-beta.14 < github.com/moby/moby/v2/daemon 2.0.0-beta.14

References

https://github.com/moby/moby/security/advisories/GHSA-rg2...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42306 Data

JSON