ALT-PU-2026-9799-1

Package update docker-engine in branch sisyphus

Version29.5.1-alt1

Published2026-05-19

Max severityHIGH

Severity:

Closed issues (4)

MEDIUM6.1

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Published: 2026-06-12Modified: 2026-06-17

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H

References

https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5

HIGH7.2

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14.

Published: 2026-06-12Modified: 2026-06-17

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

References

https://github.com/moby/moby/security/advisories/GHSA-rg2x-37c3-w2rh

GHSA-rg2x-37c3-w2rh

HIGH7.2

Docker: Race condition in docker cp allows bind mount redirection to host path

Published: 2026-05-18Modified: 2026-06-12

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

References

GHSA-vp62-88p7-qqf5

MEDIUM6.1

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

Published: 2026-05-18Modified: 2026-06-12

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H

References