Attack Chain

1. A container with at least one volume mount is created.
2. A malicious process within the container gains the ability to rapidly create and swap symlinks at the volume mount destination path.
3. The attacker identifies a target host path for redirection.
4. The attacker prepares malicious content to overwrite the host path.
5. An operator initiates a docker cp command to copy files into the container.
6. Before the mount() syscall completes, the malicious process replaces the mount destination with a symlink pointing to the attacker-controlled host path.
7. The mount() syscall follows the symlink, and the volume is bind-mounted to the attacker-controlled host path.
8. Depending on the volume content and permissions, either the host files are overwritten, or the host path is masked, potentially leading to denial of service.

Impact

Successful exploitation of this race condition (CVE-2026-42306) allows a malicious container to redirect a volume bind mount to an arbitrary host path. If the volume is writable, arbitrary host files at the redirected path could be overwritten, leading to data corruption or system compromise. If the volume is read-only, the host path is masked by the mount, causing a denial of service. While the mount is temporary and torn down after the docker cp completes, the effects of any writes persist.

Recommendation

• Upgrade to patched versions of go/github.com/docker/docker and go/github.com/moby/moby to address CVE-2026-42306.
• Only run containers from trusted images to minimize the risk of malicious processes exploiting the vulnerability.
• Avoid using docker cp with untrusted running containers to prevent unintended bind mount redirection.
• Implement authorization plugins to restrict access to the archive API endpoints (PUT /containers/{id}/archive, HEAD /containers/{id}/archive) as a workaround.