VYPR
← All advisories
High severity7.2GHSA Advisory· Published May 18, 2026

Docker: Race condition in docker cp allows bind mount redirection to host path

CVE-2026-42306

Description

Summary

A race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service.

Details

When copying files into a container, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace. During this setup, the mount destination is created inside the container root and then a bind mount is attached using the container-relative path resolved to an absolute host path.

Between mountpoint creation and the mount() syscall, a process running inside the container can replace the destination (or a parent path component) with a symlink pointing to an arbitrary location on the host. The mount() syscall follows the symlink, causing the volume to be bind-mounted onto an arbitrary host path instead of the intended container path.

Impact

A malicious container can redirect a volume bind mount to an arbitrary host path. The impact depends on the volume content and mount options:

  • If the volume is writable, arbitrary host files at the redirected path could be overwritten with the volume's contents.
  • If the volume is read-only, the host path is masked by the mount for the duration of the operation, causing denial of service.
  • In all cases the mount is temporary (torn down after the docker cp completes), but the effects of any writes persist.

Conditions for exploitation

  • A container must have at least one volume mount.
  • A process inside the container must be able to rapidly create and swap symlinks at the volume mount destination path.
  • An operator must initiate a docker cp into that container, or call the PUT /containers/{id}/archive or HEAD /containers/{id}/archive API endpoints.

Not affected

  • Containers that do not have volume mounts are not affected, as the race occurs during volume bind-mount setup.

Workarounds

  • Only run containers from trusted images.
  • Avoid using docker cp with untrusted running containers.
  • Use authorization plugins to restrict access to the archive API endpoints (PUT /containers/{id}/archive, HEAD /containers/{id}/archive).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Docker's `docker cp` allows a malicious container to redirect a bind mount to an arbitrary host path, enabling file overwrite or denial of service.

Root Cause: A race condition exists in Docker's docker cp command during the setup of temporary bind mounts. When copying files into a container, the daemon creates a mount destination inside the container root and then performs a mount() syscall. Between these two steps, a process inside the container can replace the destination (or a parent path) with a symlink pointing to an arbitrary host path. The mount() syscall follows the symlink, causing the volume to be bind-mounted onto an unintended host location [1][2].

Exploitation: The attack requires a container with at least one volume mount and a process capable of rapidly creating and swapping symlinks at the volume mount destination path. An operator must initiate a docker cp into that container or call the PUT /containers/{id}/archive or HEAD /containers/{id}/archive API endpoints. Containers without volume mounts are not affected [1][2].

Impact: If the redirected volume is writable, arbitrary host files at the target path can be overwritten with the volume's contents. If the volume is read-only, the host path is masked by the mount for the duration of the operation, causing a denial of service. Although the mount is temporary and torn down after docker cp completes, any writes performed persist on the host [1][2].

Mitigation: No official patch is mentioned in the advisory. Recommended workarounds include only running containers from trusted images, avoiding docker cp with untrusted running containers, and using authorization plugins to restrict access to the archive API endpoints [1][2].

References
  1. CVE-2026-42306 - GitHub Advisory Database
  2. Race condition in docker cp allows bind mount redirection to host path

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.