CVE-2026-42306
cAdvisor 脆弱性の分析と軽減

概要

CVE-2026-42306 is a race condition vulnerability in Docker Engine and Moby that allows a malicious container to redirect a bind mount target to an arbitrary host path during docker cp operations. It affects Docker Engine versions prior to 29.5.1, Docker Daemon (Moby) versions 28.5.2 and earlier, and Moby Daemon versions prior to 2.0.0-beta.14. The vulnerability was published on May 18, 2026, and assigned a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Moby Advisory).

技術的な詳細

The vulnerability is classified as CWE-61 (UNIX Symbolic Link Following) and CWE-367 (Time-of-check Time-of-use / TOCTOU Race Condition). When docker cp is executed, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace; the mount destination is created inside the container root and then a bind mount is attached using the container-relative path resolved to an absolute host path. Between mountpoint creation and the mount() syscall, a process inside the container can replace the destination directory (or a parent path component) with a symlink pointing to an arbitrary host location, causing mount() to follow the symlink and bind-mount the volume onto that unintended host path. Exploitation requires the container to have at least one volume mount, a process inside the container capable of rapidly swapping symlinks, and an operator initiating docker cp or calling the PUT /containers/{id}/archive or HEAD /containers/{id}/archive API endpoints (Moby Advisory).

影響

If the redirected volume is writable, arbitrary host files at the attacker-controlled path can be overwritten with the volume's contents, enabling potential privilege escalation or persistent host compromise. If the volume is read-only, the host path is masked for the duration of the docker cp operation, resulting in denial of service. Although the bind mount is temporary and torn down after docker cp completes, any writes made during the window persist on the host filesystem (Moby Advisory, GitHub Advisory).

エクスプロイテーションのステップ

  1. Setup malicious container: Deploy or gain access to a container that has at least one volume mount and can execute arbitrary processes inside it.
  2. Prepare symlink-swapping process: Inside the container, start a background process that rapidly and continuously replaces the volume mount destination path (or a parent directory component) with a symlink pointing to a sensitive host path (e.g., /etc/cron.d, /root/.ssh, or /etc/passwd).
  3. Trigger docker cp: Wait for or social-engineer an operator to execute docker cp into the container, or trigger a call to the PUT /containers/{id}/archive or HEAD /containers/{id}/archive Docker API endpoints targeting the container.
  4. Win the race: Time the symlink swap to occur between the daemon's mountpoint creation and the mount() syscall, causing the volume to be bind-mounted onto the targeted host path instead of the intended container path.
  5. Achieve impact: If the volume is writable, the volume's contents overwrite files at the redirected host path (e.g., injecting a malicious cron job or SSH key). If read-only, the host path is temporarily masked, causing denial of service for the duration of the operation (Moby Advisory).

妥協の兆候

  • Logs: Docker daemon logs showing unexpected bind mount paths during docker cp operations; audit logs recording mount() syscalls resolving to host paths outside the container root.
  • File System: Unexpected modifications to sensitive host files (e.g., /etc/cron.d/, /root/.ssh/authorized_keys, /etc/passwd) coinciding with docker cp operations; new or altered files in host directories not normally written by Docker.
  • Process: Rapid symlink creation/deletion activity inside a container at volume mount destination paths, observable via inotifywait or auditd rules on the container's overlay filesystem.
  • Network: Calls to the Docker API endpoints PUT /containers/{id}/archive or HEAD /containers/{id}/archive from unexpected sources or at unusual times, visible in Docker daemon access logs (Moby Advisory).

軽減策と回避策

Upgrade to Docker Engine 29.5.1 or Moby Daemon 2.0.0-beta.14, which contain the official patch for this vulnerability (Moby Advisory). If immediate upgrade is not possible, apply the following workarounds: only run containers from trusted images; avoid using docker cp with untrusted or running containers; and use Docker authorization plugins to restrict access to the PUT /containers/{id}/archive and HEAD /containers/{id}/archive API endpoints. Additionally, restrict which users are permitted to run containers and execute docker cp operations, and monitor for suspicious archive API usage.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 cAdvisor 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-39822HIGH7.8
  • cAdvisor logocAdvisor
  • netdata-fips-2.10
いいえはいJul 08, 2026
CVE-2026-42306HIGH7.2
  • cAdvisor logocAdvisor
  • cpe:2.3:a:docker:engine
いいえはいJun 12, 2026
CVE-2026-41568MEDIUM6.1
  • cAdvisor logocAdvisor
  • datadog-agent-7.77
いいえはいJun 12, 2026
CVE-2026-42505MEDIUM5.3
  • cAdvisor logocAdvisor
  • crossplane-provider-gcp-beta-compute
いいえはいJul 08, 2026
CVE-2026-41579LOW3.3
  • cAdvisor logocAdvisor
  • gpu-operator-26.3
いいえはいJul 01, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者