VYPR
High severity7.2GHSA Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-41567

CVE-2026-41567

Description

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via PUT /containers/{id}/archive or piped through docker cp -, the daemon resolves decompression binaries (such as xz or unpigz) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, and avoiding piping compressed archives into containers created from untrusted images

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/moby/moby/v2Go
< 2.0.0-beta.142.0.0-beta.14
github.com/docker/dockerGo
<= 28.5.2
github.com/moby/mobyGo
<= 28.5.2

Affected products

118

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.