Bug 2488493 (CVE-2026-41568)

Summary: CVE-2026-41568 github.com/docker/docker: github.com/moby/moby: Moby: Denial of Service via race condition in docker cp mount setup
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, agarcial, alcohan, amctagga, anjoseph, anpicker, aoconnor, asatyam, asegurap, bdettelb, bniver, bparees, crizzo, derez, dfreiber, dhanak, diagrawa, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eborisov, eglynn, erezende, fdeutsch, flucifre, gmeno, gparvin, groman, hasun, ibolton, jbalunas, jburrell, jcantril, jfula, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jowilson, jprabhak, jpretori, jsamir, jschluet, kaycoth, kbempah, kingland, kshier, lball, lchilton, lgamliel, lhh, ljawale, lphiri, luizcosta, lwan, manissin, mbenjamin, mburns, mgarciac, mhackett, mnovotny, ngough, nweather, nyancey, ometelka, oramraz, pahickey, pakotvan, pgaikwad, ptisnovs, rbobbitt, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smcdonal, smullick, solenoci, sostapov, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, thason, tzivkovi, vereddy, veshanka, vkumar, vvoronko, watson-tool-maintainers, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Moby container framework. A race condition during the `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary locations on the host filesystem. This vulnerability can lead to a denial of service by filling up disk space or interfering with critical system files.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-12 19:02:02 UTC
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.