Moby/Moby (<= 28.5.2) — CraftedSignal Threat Feed

Docker Race Condition Allows Bind Mount Redirection to Host Path (CVE-2026-42306)

hello@craftedsignal.io — Mon, 18 May 2026 17:54:09 +0000

A race condition vulnerability exists in Docker’s docker cp command related to the setup of temporary filesystem views when copying files into a container. This flaw, identified as CVE-2026-42306, allows a malicious container to redirect a bind mount target to an arbitrary host path. The vulnerability occurs because, during the setup, a process inside the container can replace the mount destination with a symlink pointing to the host before the mount syscall completes. This can lead to overwriting host files with the volume’s contents or causing denial of service by masking the host path. This vulnerability affects docker/docker versions up to 28.5.2 and moby/moby versions up to 28.5.2 and versions of moby/moby/v2 prior to 2.0.0-beta.14.

Attack Chain

A container with at least one volume mount is created.
A malicious process within the container gains the ability to rapidly create and swap symlinks at the volume mount destination path.
The attacker identifies a target host path for redirection.
The attacker prepares malicious content to overwrite the host path.
An operator initiates a docker cp command to copy files into the container.
Before the mount() syscall completes, the malicious process replaces the mount destination with a symlink pointing to the attacker-controlled host path.
The mount() syscall follows the symlink, and the volume is bind-mounted to the attacker-controlled host path.
Depending on the volume content and permissions, either the host files are overwritten, or the host path is masked, potentially leading to denial of service.

Impact

Successful exploitation of this race condition (CVE-2026-42306) allows a malicious container to redirect a volume bind mount to an arbitrary host path. If the volume is writable, arbitrary host files at the redirected path could be overwritten, leading to data corruption or system compromise. If the volume is read-only, the host path is masked by the mount, causing a denial of service. While the mount is temporary and torn down after the docker cp completes, the effects of any writes persist.

Recommendation

Upgrade to patched versions of go/github.com/docker/docker and go/github.com/moby/moby to address CVE-2026-42306.
Only run containers from trusted images to minimize the risk of malicious processes exploiting the vulnerability.
Avoid using docker cp with untrusted running containers to prevent unintended bind mount redirection.
Implement authorization plugins to restrict access to the archive API endpoints (PUT /containers/{id}/archive, HEAD /containers/{id}/archive) as a workaround.

Docker `PUT /containers/{id}/archive` Vulnerability Allows Host Root Code Execution

hello@craftedsignal.io — Mon, 18 May 2026 17:47:42 +0000

A vulnerability, identified as CVE-2026-41567, exists in Docker related to the handling of compressed archives uploaded via the PUT /containers/{id}/archive endpoint. When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges. The vulnerability stems from the Docker daemon incorrectly resolving decompression binaries from the container’s filesystem instead of the host’s when handling PUT /containers/{id}/archive requests with compressed archives. This allows a container image containing a trojanized decompression binary (e.g., xz or gzip) to achieve code execution as the daemon process whenever a compressed archive is uploaded to that container. This issue affects Docker versions up to 28.5.2, moby/moby versions up to 28.5.2, and go/github.com/moby/moby/v2 versions prior to 2.0.0-beta.14.

Attack Chain

An attacker crafts a malicious Docker image containing a trojanized decompression binary (e.g., xz or gzip).
The attacker deploys the malicious Docker image to a system.
A user runs a container from the malicious image.
The user uploads a compressed archive (either xz or gzip) into the container. This can be achieved by piping a compressed archive via docker cp - or by calling the PUT /containers/{id}/archive API directly with compressed content.
When processing the PUT /containers/{id}/archive request, the Docker daemon attempts to decompress the archive.
Due to the vulnerability, the Docker daemon executes the trojanized decompression binary from within the container’s filesystem instead of using a trusted host binary.
The trojanized decompression binary executes arbitrary code with the privileges of the Docker daemon, which includes host root privileges.
The attacker gains control of the host system.

Impact

Successful exploitation of this vulnerability leads to arbitrary code execution as host root, effectively bypassing the container-to-host trust boundary. This allows an attacker to gain full control of the host system, potentially leading to data exfiltration, system compromise, or other malicious activities.

Recommendation

Upgrade to Docker version 28.5.3 or later to remediate CVE-2026-41567.
Apply available patches for go/github.com/moby/moby/v2 before version 2.0.0-beta.14 to remediate CVE-2026-41567.
Implement authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, as recommended in the overview.
Avoid piping compressed archives into containers created from untrusted images, as discussed in the conditions for exploitation.