CVE-2026-41568
Race Condition vulnerability in docker (Go)

Race Condition No known exploit

What is CVE-2026-41568 About?

This race condition vulnerability in `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. It exploits a timing window between path resolution and mountpoint creation. Successful exploitation can lead to persistent denial of service on the host. Exploitation requires a running malicious container and a user initiating a `docker cp` operation.

Affected Software

  • github.com/docker/docker
    • <=28.5.2
  • github.com/moby/moby/v2
    • <2.0.0-beta.14
  • github.com/moby/moby
    • <=28.5.2

Technical Details

The vulnerability occurs during the docker cp operation when the daemon sets up a temporary filesystem view by bind-mounting volumes. The process involves resolving the mount destination path within the container's root filesystem using GetResourcePath, followed by creating the mountpoint (file or directory) if it doesn't exist via createIfNotExists. A malicious process inside the container can exploit a race window between these two steps. After path resolution but before createIfNotExists executes, the container can swap a path component for a symlink pointing to an arbitrary location on the host. Because createIfNotExists operates on the already-resolved absolute path using os.MkdirAll and os.OpenFile (which follow symlinks in intermediate path components), the symlink is followed, and an empty file or directory is created outside the container root filesystem at the arbitrary host path, running as root.

What is the Impact of CVE-2026-41568?

Successful exploitation may allow attackers to cause persistent denial of service on the host system by creating empty files or directories at critical locations, preventing system services from functioning correctly (e.g., corrupting configuration files or preventing user logins).

What is the Exploitability of CVE-2026-41568?

Exploitation complexity is moderate due to the race condition. It requires no authentication to the daemon but necessitates a specific sequence of events. A prerequisite is a container running a malicious process capable of rapidly creating and swapping symlinks at a volume mount destination path. An operator must then initiate a docker cp into that container, or call the PUT /containers/{id}/archive or HEAD /containers/{id}/archive API endpoints. The exploit does not grant read or write access to existing host files, only the ability to create new empty files or directories. Containers without volume mounts are not affected. The timing-dependent nature of the race condition makes successful exploitation more complex than a direct code execution vulnerability.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-41568?

Available Upgrade Options

  • github.com/moby/moby/v2
    • <2.0.0-beta.14 → Upgrade to 2.0.0-beta.14

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-41568?

Similar Vulnerabilities: CVE-2023-28189 , CVE-2023-29479 , CVE-2023-29007 , CVE-2023-28956 , CVE-2023-0466

All Rights reserved 2025
Privacy Policy