Bug 2488493 (CVE-2026-41568) - CVE-2026-41568 github.com/docker/docker: github.com/moby/moby: Moby: Denial of Service via race condition in docker cp mount setup
Summary: CVE-2026-41568 github.com/docker/docker: github.com/moby/moby: Moby: Denial o...
Keywords:
Status: NEW
Alias: CVE-2026-41568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-12 19:02 UTC by OSIDB Bzimport
Modified: 2026-06-19 15:44 UTC (History)
111 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-12 19:02:02 UTC
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.


Note You need to log in before you can comment on or make changes to this bug.