CVE-2026-41568 - Vulnerability Details

CVE-2026-41568 - Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Docker	Engine
Moby	Moby
Mobyproject	Moby Moby\/v2

Configuration 1 [-]

OR	cpe:2.3:a:docker:engine::::::::
	cpe:2.3:a:mobyproject:moby::::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta0::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta1::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta10::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta11::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta12::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta13::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta2::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta3::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta4::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta5::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta6::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta7::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta8::::::
	cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta9::::::

No data.

References

Link	Providers
https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5

History

Tue, 16 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Docker Docker engine Mobyproject Mobyproject moby Mobyproject moby\/v2
CPEs		cpe:2.3:a:docker:engine:::::::: cpe:2.3:a:mobyproject:moby:::::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta0:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta10:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta11:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta12:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta13:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta1:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta2:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta3:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta4:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta5:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta6:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta7:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta8:::::: cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta9::::::
Vendors & Products		Docker Docker engine Mobyproject Mobyproject moby Mobyproject moby\/v2

Fri, 12 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moby Moby moby
Vendors & Products		Moby Moby moby

Fri, 12 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Title		Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Weaknesses		CWE-367 CWE-81
References		https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T18:08:43.914Z

Updated: 2026-06-12T20:01:58.963Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41568

Vulnrichment

Updated: 2026-06-12T20:01:55.279Z

NVD

Status : Analyzed

Published: 2026-06-12T19:16:26.907

Modified: 2026-06-16T18:31:54.957

Link: CVE-2026-41568

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object