PT-2026-41766 · Docker+1 · Docker+1
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-41568
CVSS v3.1
6.1
Medium
| Vector | AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Docker (affected versions not specified)
Description
A race condition occurs during the mount setup of
docker cp, allowing a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem with root privileges. When copying files, the daemon resolves the destination path using GetResourcePath and creates the mountpoint via createIfNotExists. A process inside the container can swap a path component for a symlink between these two steps. Since createIfNotExists uses os.MkdirAll and os.OpenFile, which follow symlinks, the file or directory is created outside the container root. This can lead to a persistent denial of service by creating files like /etc/nologin or converting /etc/docker/daemon.json into a directory. Exploitation requires a container with volume mounts and an operator initiating a docker cp command or calling the 'PUT /containers/{id}/archive' or 'HEAD /containers/{id}/archive' API endpoints.Recommendations
Restrict access to the 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive' API endpoints using authorization plugins.
Avoid using
docker cp with untrusted running containers.
Only run containers from trusted images.Exploit
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Docker
Red Os