Arbitrary Code Execution Vulnerability in Moby Container Framework
CVE-2026-41567

7.2HIGH

Key Information:

Vendor

Moby

Vendor
CVE Published:
5 June 2026

What is CVE-2026-41567?

A recent vulnerability in the Moby Container Framework allows for arbitrary code execution when a user uploads a compressed archive (e.g., xz or gzip) to a container via PUT /containers/{id}/archive or through docker cp -. This issue occurs due to the improper resolution of decompression binaries, which are fetched from the container's filesystem instead of the host's. Consequently, if a malicious container image includes a compromised decompression binary, it can execute arbitrary code with full privileges, including host root UID access. This vulnerability is addressed in the latest Docker Engine release 29.5.1 and Moby v2.0.0-beta.14. Users are advised to run containers only from trusted images and implement authorization plugins to limit access to critical endpoints.

Affected Version(s)

Docker Engine < 29.5.1

docker/daemon <= 28.5.2

moby/v2/daemon < 2.0.0-beta.14

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.