SecuriTricks - CVE-2026-42306

Description

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Product(s) Impacted

Vendor	Product	Versions
Docker	Docker Engine Docker Daemon	<29.5.1 <28.5.2
Moby	Moby	<2.0.0-beta.14

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-61

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	docker	docker_engine	<29.5.1	/	/	/	/	/	/	/
a	docker	docker_daemon	<28.5.2	/	/	/	/	/	/	/
a	moby	moby	<2.0.0-beta.14	/	/	/	/	/	/	/

References

https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh

CVSS Score

7.2 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

View Vector String

Timeline

Published: June 12, 2026, 7:16 p.m.
Last Modified: June 12, 2026, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-42306