Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Docker |
|
| Moby |
|
| Mobyproject |
|
Configuration 1 [-]
|
No data.
References
History
Tue, 16 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Docker
Docker engine Mobyproject Mobyproject moby Mobyproject moby\/v2 |
|
| CPEs | cpe:2.3:a:docker:engine:*:*:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta0:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta10:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta11:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta12:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta13:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta1:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta3:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta4:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta5:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta6:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta7:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta8:*:*:*:*:*:* cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta9:*:*:*:*:*:* |
|
| Vendors & Products |
Docker
Docker engine Mobyproject Mobyproject moby Mobyproject moby\/v2 |
Sat, 13 Jun 2026 04:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 12 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Moby
Moby moby |
|
| Vendors & Products |
Moby
Moby moby |
Fri, 12 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14. | |
| Title | Moby: Race condition in docker cp allows bind mount redirection to host path | |
| Weaknesses | CWE-367 CWE-61 |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-12T18:09:22.188Z
Updated: 2026-06-13T03:25:47.055Z
Reserved: 2026-04-26T12:37:18.169Z
Link: CVE-2026-42306
Vulnrichment
Updated: 2026-06-13T03:25:41.422Z
NVD
Status : Analyzed
Published: 2026-06-12T19:16:27.490
Modified: 2026-06-16T18:31:31.120
Link: CVE-2026-42306
Redhat
No data.