PT-2026-41767 · Docker+1 · Docker+1
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-42306
CVSS v3.1
7.2
High
| Vector | AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Docker (affected versions not specified)
Description
A race condition occurs during the mount setup of the
docker cp command. When copying files into a container, the daemon creates a temporary filesystem view by bind-mounting volumes. A process inside the container can replace the mount destination or a parent path component with a symlink pointing to an arbitrary host location between the mountpoint creation and the mount() syscall. Because the mount() syscall follows the symlink, the volume is bind-mounted onto an arbitrary host path. If the volume is writable, host files may be overwritten; if read-only, the host path is masked, leading to a denial of service. This can be triggered via docker cp or the API endpoints 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive'.Recommendations
Only run containers from trusted images.
Avoid using
docker cp with untrusted running containers.
Use authorization plugins to restrict access to the 'PUT /containers/{id}/archive' and 'HEAD /containers/{id}/archive' API endpoints.Fix
DoS
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Docker
Red Os