PT-2026-41766 · Docker+1 · Docker+1

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-41568

CVSS v3.1

6.1

Medium

VectorAV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H
Name of the Vulnerable Software and Affected Versions Docker (affected versions not specified)
Description A race condition occurs during the mount setup of docker cp, allowing a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem with root privileges. When copying files, the daemon resolves the destination path using GetResourcePath and creates the mountpoint via createIfNotExists. A process inside the container can swap a path component for a symlink between these two steps. Since createIfNotExists uses os.MkdirAll and os.OpenFile, which follow symlinks, the file or directory is created outside the container root. This can lead to a persistent denial of service by creating files like /etc/nologin or converting /etc/docker/daemon.json into a directory. Exploitation requires a container with volume mounts and an operator initiating a docker cp command or calling the 'PUT /containers/{id}/archive' or 'HEAD /containers/{id}/archive' API endpoints.
Recommendations Restrict access to the 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive' API endpoints using authorization plugins. Avoid using docker cp with untrusted running containers. Only run containers from trusted images.

Exploit

Fix

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41568
GHSA-VP62-88P7-QQF5
GO-2026-5668

Affected Products

Docker
Red Os