CVE-2026-42306

7.2 HIGH

Moby is an open source container framework

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CVSS: 7.2 HIGH
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H
CWE: CWE-367, CWE-61

Description

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-54420 — LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with ... (8.5 HIGH)
CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
CVE-2026-53822 — OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution (8.8 HIGH)