If you run docker cp against containers built from external or third-party images, you have been handing a potential attacker a path to full host compromise. Docker Engine 29.5.1, released May 18, patches three separate CVEs in that single command.
The most serious is CVE-2026-41567. When docker cp decompresses archives, it resolves binaries like xz or unpigz via PATH — but PATH is resolved inside the container filesystem, while the process runs as root on the host. A malicious container can substitute its own binary at that PATH location and have it executed with host root privileges. The attack requires no special container capabilities beyond the ability to control what ends up in the container's filesystem.
CVE-2026-41568 and CVE-2026-42306 are TOCTOU flaws. They let a container process create or redirect files and directories at arbitrary locations on the host filesystem during the copy operation. Classic race conditions, but with root-level blast radius.
The common assumption is that docker cp is a safe, read-only admin operation. It is not — and these three CVEs make that explicit.
Upgrading Docker Engine is usually fast, but in practice it requires a daemon restart. In environments where uptime matters or where Docker upgrades go through a change management process, that means scheduling. CI/CD pipelines using containerized build agents are the highest-risk surface: they routinely run docker cp against images pulled from external registries, exactly the scenario these vulnerabilities target. Update CI infrastructure first.
CVSS scores had not been published at time of writing. The attack surface is local — an adversary needs to run docker cp against a container they control or have compromised. That is a real constraint, but in CI pipelines it describes normal operation.