PatchSiren cyber security CVE debrief
CVE-2026-42306 moby CVE debrief
A race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
- Vendor
- moby
- Product
- Unknown
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14.
Technical summary
The vulnerability is caused by a race condition during docker cp mount setup, allowing a malicious container to redirect a bind mount target to an arbitrary host path. This can potentially lead to overwriting host files or causing denial of service.
Defensive priority
HIGH
Recommended defensive actions
- Update Docker Engine to version 29.5.1 or later
- Update Moby Daemon to version 2.0.0-beta.14 or later
Evidence notes
CVE-2026-42306 has a CVSS score of 7.2 and is classified as HIGH severity.
Official resources
-
CVE-2026-42306 CVE record
CVE.org
-
CVE-2026-42306 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-42306 was published on 2026-06-12T19:16:27.490Z and has not been modified since then.