Arbitrary Code Execution Vulnerability in Moby Container Framework
CVE-2026-41567
What is CVE-2026-41567?
A recent vulnerability in the Moby Container Framework allows for arbitrary code execution when a user uploads a compressed archive (e.g., xz or gzip) to a container via PUT /containers/{id}/archive or through docker cp -. This issue occurs due to the improper resolution of decompression binaries, which are fetched from the container's filesystem instead of the host's. Consequently, if a malicious container image includes a compromised decompression binary, it can execute arbitrary code with full privileges, including host root UID access. This vulnerability is addressed in the latest Docker Engine release 29.5.1 and Moby v2.0.0-beta.14. Users are advised to run containers only from trusted images and implement authorization plugins to limit access to critical endpoints.
Affected Version(s)
Docker Engine < 29.5.1
docker/daemon <= 28.5.2
moby/v2/daemon < 2.0.0-beta.14
