CVE Catalog

CVE-2026-42306

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

1th percentile - higher than 1% of all known CVEs

Summary

In Moby, versions prior to 2.0.0-beta.14 and Docker Engine prior to 29.5.1, a race condition during mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path. This can lead to overwriting host files or denial of service.

Risk Assessment

This vulnerability poses a significant security risk, potentially resulting in data loss or service disruption within the organization.

Recommendation

It is recommended to upgrade to Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14 to mitigate this vulnerability.

Original NVD description (English source)

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS