CVE-2026-41567

HIGH

Docker: `PUT /containers/{id}/archive` executes container binary on the host

Title source: cna

Description

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r

Scores

CVSS v3 7.2

EPSS 0.0014

EPSS Percentile 3.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (6)

docker/docker 0 - 28.5.2Go

docker/docker/daemon <= 28.5.2

moby/Docker Engine < 29.5.1

moby/moby 0 - 2.0.0-beta.14Go

moby/moby 0 - 28.5.2Go

moby/moby/v2/daemon < 2.0.0-beta.14

Published Jun 05, 2026

Tracked Since Jun 05, 2026