CVE-2026-42306

HIGH EPSS 1.3%

Published Jun 12, 20262w ago · Modified Jun 17, 20261w ago

7.2 CVSS 3.1

High

Published Jun 12, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

CVSS Details

Base Score

7.2

Exploitability

0.8

Impact

5.8

Vector string

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

Attack Vector Local

Attack Complexity High

Privileges Required Low

User Interaction Required

Scope Changed

Confidentiality None

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

1.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-367

CWE-61

Affected Products 16

Vendor	Product	Version	Range
docker	engine	*	<29.5.1
mobyproject	moby	*	≤28.5.2
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any
mobyproject	moby\/v2	2.0.0	any

References 1

github.com https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh

MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.