CVE-2026-41568

6.1 MEDIUM

Moby is an open source container framework

Published: 2026-06-12 · Last updated: 2026-06-16

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H
CWE: CWE-367, CWE-81

Affected products

Vendor	Product
docker	engine, moby, moby\/v2
mobyproject	engine, moby, moby\/v2

Description

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-41568
[Vendor advisory]https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5

Related CVEs

Same vendor

CVE-2026-42306 — Moby is an open source container framework (7.2 HIGH)
CVE-2026-5843 — The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary P... (8.2 HIGH)
CVE-2026-5817 — The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizer... (8.2 HIGH)
CVE-2026-6406 — The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop (8.8 HIGH)
CVE-2026-34040 — Moby is an open source container framework (8.8 HIGH)

Same CWE

CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
CVE-2026-53822 — OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution (8.8 HIGH)
CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)