PT-2026-41767 · Docker+1 · Docker+1

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-42306

CVSS v3.1

7.2

High

VectorAV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Docker (affected versions not specified)
Description A race condition occurs during the mount setup of the docker cp command. When copying files into a container, the daemon creates a temporary filesystem view by bind-mounting volumes. A process inside the container can replace the mount destination or a parent path component with a symlink pointing to an arbitrary host location between the mountpoint creation and the mount() syscall. Because the mount() syscall follows the symlink, the volume is bind-mounted onto an arbitrary host path. If the volume is writable, host files may be overwritten; if read-only, the host path is masked, leading to a denial of service. This can be triggered via docker cp or the API endpoints 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive'.
Recommendations Only run containers from trusted images. Avoid using docker cp with untrusted running containers. Use authorization plugins to restrict access to the 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive' API endpoints.

Fix

DoS

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42306
GHSA-RG2X-37C3-W2RH
GO-2026-5617

Affected Products

Docker
Red Os