CVE Catalog

CVE-2026-41567

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile - higher than 5% of all known CVEs

Summary

In Moby (Docker Engine) before 29.5.1 and moby/moby v2 before v2.0.0-beta.14, when a compressed archive is uploaded to a container, the daemon resolves decompression binaries (e.g., xz, unpigz) from the container's filesystem instead of the host. A malicious container image with trojanized decompression binaries can achieve arbitrary code execution with full daemon privileges (host root UID and unrestricted capabilities).

Risk Assessment

An attacker can gain complete control over the Docker host, executing arbitrary code as root, compromising confidentiality, integrity, and availability of all containers and host data.

Recommendation

Immediately upgrade Docker Engine to 29.5.1 or moby/moby to v2.0.0-beta.14. Until then, only use trusted container images, deploy authorization plugins to block the PUT /containers/{id}/archive endpoint, and avoid piping compressed archives into containers from untrusted images.

Original NVD description (English source)

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

Vulnerability data from NVD (NIST) · CISA KEV · EPSS