Docker: `PUT /containers/{id}/archive` executes container binary on the host
Description
Summary
When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges.
Details
When handling PUT /containers/{id}/archive requests with compressed archives, the daemon decompresses them using external system binaries. Due to incorrect ordering of operations, these binaries are resolved from the container's filesystem rather than the host's. A container image that includes a trojanized decompression binary can achieve code execution as the daemon process whenever a compressed archive is uploaded to that container.
The executed binary runs with the daemon's full privileges, including host root UID and unrestricted capabilities.
Impact
Arbitrary code execution as host root, crossing the container-to-host trust boundary.
Conditions for exploitation
- A user must run a container from a malicious image that contains a trojanized decompression binary.
- The user must then upload a compressed archive (xz or gzip) into that container, either by piping a compressed archive via
docker cp -or by calling thePUT /containers/{id}/archiveAPI directly with compressed content.
Not affected
Standard docker cp usage is not affected, because the CLI sends uncompressed tar by default:
docker cp ./file.txt mycontainer:/file.txt
This can only be exploited when explicitly passing a xz or gzip-compressed archive to docker cp or the PUT /containers/{id}/archive API, for example:
cat archive.tar.xz | docker cp - mycontainer:/dir
Decompression formats using pure Go implementations (bzip2, zstd, and gzip when the container image does not contain an unpigz binary) are also not affected.
Workarounds
- Only run containers from trusted images.
- Use authorization plugins to limit access to the
PUT /containers/{id}/archiveendpoint. - Avoid piping compressed archives into containers created from untrusted images.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Docker daemon resolves decompression binaries from container filesystem, allowing arbitrary code execution as host root when compressed archive is uploaded to a malicious container.
Vulnerability
The Docker daemon incorrectly resolves decompression binaries from the container's filesystem rather than the host when processing PUT /containers/{id}/archive requests with compressed archives (xz or gzip) [1][2]. This path resolution flaw allows a container image containing a trojanized decompression binary to execute arbitrary code on the host.
Exploitation
An attacker must first run a container from a malicious image that includes a trojanized decompression binary, such as a modified xz or gzip executable [1][2]. Exploitation then requires uploading a compressed archive into that container, either by piping it via docker cp - or calling the API directly with compressed content. Standard docker cp usage with uncompressed tar is not affected [1][2]. Formats using pure Go decompressors (bzip2, zstd, and gzip without unpigz) are also unaffected.
Impact
Successful exploitation grants arbitrary code execution as the daemon process with host root privileges and full capabilities, breaking the container-to-host isolation boundary [1][2].
Mitigation
No patch is currently available. Workarounds include running only trusted container images, using authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, and avoiding the upload of compressed archives into containers from untrusted images [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.