Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.001.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
moby moby affected
Version Status Constraints
github.com/docker/docker/daemon <= 28.5.2 affected
Docker Engine < 29.5.1 affected
github.com/moby/moby/v2/daemon < 2.0.0-beta.14 affected

Configuration 1 [-]

OR cpe:2.3:a:docker:engine:*:*:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta11:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta12:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta13:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta9:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Moby Subscribe
Moby Subscribe

Project Subscriptions

Vendors Products
Docker Subscribe
Engine Subscribe
Moby Subscribe
Moby Subscribe
Mobyproject Subscribe
Moby Subscribe
Moby\/v2 Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp62-88p7-qqf5 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-41568 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-41568 cve-icon
History

Sat, 20 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 16 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Docker
Docker engine
Mobyproject
Mobyproject moby
Mobyproject moby\/v2
CPEs cpe:2.3:a:docker:engine:*:*:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta11:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta12:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta13:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:mobyproject:moby\/v2:2.0.0:beta9:*:*:*:*:*:*
Vendors & Products Docker
Docker engine
Mobyproject
Mobyproject moby
Mobyproject moby\/v2

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby moby
Vendors & Products Moby
Moby moby

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Title Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Weaknesses CWE-367
CWE-81
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:01:58.963Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41568

cve-icon Vulnrichment

Updated: 2026-06-12T20:01:55.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T19:16:26.907

Modified: 2026-06-16T18:31:54.957

Link: CVE-2026-41568

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-12T18:08:43Z

Links: CVE-2026-41568 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses