CVE-2026-41568: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

May 18, 2026 (updated June 12, 2026)

A race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.

This advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked in GHSA-rg2x-37c3-w2rh

References

github.com/advisories/GHSA-vp62-88p7-qqf5
github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5
nvd.nist.gov/vuln/detail/CVE-2026-41568

Code Behaviors & Features

Detect and mitigate CVE-2026-41568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →