DescriptionA race condition issue was found in the Moby Builder Toolkit, stemming from a time-of-check/time-of-use (TOCTOU) vulnerability during cache volume mounting at container build time. Concurrent execution of two malicious build steps, sharing the same cache mounts with subpaths, may result in files from the host system being accessible to the build container. Successful exploitation could lead to a container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (for example, when using FROM).A race condition issue was found in the Moby Builder Toolkit, stemming from a time-of-check/time-of-use (TOCTOU) vulnerability during cache volume mounting at container build time. Concurrent execution of two malicious build steps, sharing the same cache mounts with subpaths, may result in files from the host system being accessible to the build container. Successful exploitation could lead to a container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (for example, when using FROM).