CVE-2026-41567

HIGH EPSS 3.5%
Published Jun 5, 20263w ago · Modified Jun 17, 20262w ago
7.2 CVSS 3.1
High
Find Similar
Published Jun 5, 2026 3w ago
Last Modified Jun 17, 2026 2w ago

Description

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

CVSS Details

Base Score
7.2
Exploitability
0.8
Impact
5.8
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
3.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-427

References 1

  • github.com https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.