CVE-2026-41568
MEDIUMDescription
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.
Is your site exposed to CVE-2026-41568?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| docker | engine |
| mobyproject | moby |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
| mobyproject | moby\/v2 |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-41568? +
How severe is CVE-2026-41568? +
What products are affected by CVE-2026-41568? +
How do I check if I'm vulnerable to CVE-2026-41568? +
Related Vulnerabilities
Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText™ Service Manager. The vulnerability could reveal sensitive …
A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to …
Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web …
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can …
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went …
A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop …