CVE-2026-41567
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via PUT /containers/{id}/archive or piped through docker cp -, the daemon resolves decompression binaries (such as xz or unpigz) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, and avoiding piping compressed archives into containers created from untrusted images
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| moby | moby/v2/daemon | < 2.0.0-beta.14 | affected |
| moby | Docker Engine | < 29.5.1 | affected |
| docker | docker/daemon | <= 28.5.2 | affected |
Weaknesses
- CWE-427: CWE-427: Uncontrolled Search Path Element
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
Additional References
- https://access.redhat.com/security/cve/CVE-2026-41567
- https://bugzilla.redhat.com/show_bug.cgi?id=2485356
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41567.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.