CVE-2026-41567
Description
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via PUT /containers/{id}/archive or piped through docker cp -, the daemon resolves decompression binaries (such as xz or unpigz) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, and avoiding piping compressed archives into containers created from untrusted images
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/moby/moby/v2Go | < 2.0.0-beta.14 | 2.0.0-beta.14 |
github.com/docker/dockerGo | <= 28.5.2 | — |
github.com/moby/mobyGo | <= 28.5.2 | — |
Affected products
118- Range: <= 28.5.2
- osv-coords117 versionspkg:apk/chainguard/auditbeat-8.19pkg:apk/chainguard/auditbeat-9.3pkg:apk/chainguard/auditbeat-9.4pkg:apk/chainguard/auditbeat-fips-8.19pkg:apk/chainguard/auditbeat-fips-9.3pkg:apk/chainguard/auditbeat-fips-9.4pkg:apk/chainguard/aws-otel-collectorpkg:apk/chainguard/aws-otel-collector-fipspkg:apk/chainguard/buildahpkg:apk/chainguard/buildah-fipspkg:apk/chainguard/chainloop-control-planepkg:apk/chainguard/chainloop-control-plane-fipspkg:apk/chainguard/datadog-agent-7.77-fullpkg:apk/chainguard/dockerd-fips-29pkg:apk/chainguard/elastic-agent-8.19pkg:apk/chainguard/elastic-agent-9.3pkg:apk/chainguard/elastic-agent-9.4pkg:apk/chainguard/elastic-agent-fips-8.19pkg:apk/chainguard/elastic-agent-fips-9.3pkg:apk/chainguard/elastic-agent-fips-9.4pkg:apk/chainguard/elastic-otel-collector-9.3pkg:apk/chainguard/elastic-otel-collector-9.4pkg:apk/chainguard/elastic-otel-collector-fips-9.3pkg:apk/chainguard/elastic-otel-collector-fips-9.4pkg:apk/chainguard/envoy-gateway-egctlpkg:apk/chainguard/envoy-gateway-fips-egctlpkg:apk/chainguard/filebeat-8.19pkg:apk/chainguard/filebeat-9.3pkg:apk/chainguard/filebeat-9.4pkg:apk/chainguard/filebeat-fips-8.19pkg:apk/chainguard/filebeat-fips-9.3pkg:apk/chainguard/filebeat-fips-9.4pkg:apk/chainguard/google-cloud-otel-ops-collectorpkg:apk/chainguard/grafana-12.3pkg:apk/chainguard/grafana-12.4pkg:apk/chainguard/grafana-13.0pkg:apk/chainguard/grafana-fips-12.3pkg:apk/chainguard/grafana-fips-12.4pkg:apk/chainguard/grafana-fips-13.0pkg:apk/chainguard/heartbeat-8.19pkg:apk/chainguard/heartbeat-9.3pkg:apk/chainguard/heartbeat-9.4pkg:apk/chainguard/heartbeat-fips-8.19pkg:apk/chainguard/heartbeat-fips-9.3pkg:apk/chainguard/heartbeat-fips-9.4pkg:apk/chainguard/kopkg:apk/chainguard/ko-fipspkg:apk/chainguard/metricbeat-8.19pkg:apk/chainguard/metricbeat-9.3pkg:apk/chainguard/metricbeat-9.4pkg:apk/chainguard/metricbeat-fips-8.19pkg:apk/chainguard/metricbeat-fips-9.3pkg:apk/chainguard/metricbeat-fips-9.4pkg:apk/chainguard/nerdctlpkg:apk/chainguard/nerdctl-fipspkg:apk/chainguard/nrdot-collector-k8s-fipspkg:apk/chainguard/nucleipkg:apk/chainguard/opentelemetry-operator-fips-otel-allocatorpkg:apk/chainguard/opentelemetry-operator-otel-allocatorpkg:apk/chainguard/podmanpkg:apk/chainguard/podman-fipspkg:apk/chainguard/portierispkg:apk/chainguard/portieris-fipspkg:apk/chainguard/prometheus-2.51pkg:apk/chainguard/prometheus-3.10pkg:apk/chainguard/prometheus-3.11pkg:apk/chainguard/prometheus-3.5pkg:apk/chainguard/prometheus-3.8pkg:apk/chainguard/prometheus-fips-3.10pkg:apk/chainguard/prometheus-fips-3.11pkg:apk/chainguard/prometheus-fips-3.5pkg:apk/chainguard/prometheus-fips-3.8pkg:apk/chainguard/prometheus-fips-3.9pkg:apk/chainguard/rancher-2.12pkg:apk/chainguard/rancher-2.13pkg:apk/chainguard/rancher-2.14pkg:apk/chainguard/rancher-agent-2.12pkg:apk/chainguard/rancher-agent-2.13pkg:apk/chainguard/rancher-agent-2.14pkg:apk/chainguard/rancher-machinepkg:apk/chainguard/skopeopkg:apk/chainguard/skopeo-fipspkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/undockpkg:apk/chainguard/upwind-agentpkg:apk/chainguard/vault-1.16pkg:apk/chainguard/zotpkg:apk/wolfi/aws-otel-collectorpkg:apk/wolfi/buildahpkg:apk/wolfi/datadog-agent-7.77-fullpkg:apk/wolfi/envoy-gateway-egctlpkg:apk/wolfi/grafana-12.3pkg:apk/wolfi/grafana-12.4pkg:apk/wolfi/grafana-13.0pkg:apk/wolfi/kopkg:apk/wolfi/nerdctlpkg:apk/wolfi/nucleipkg:apk/wolfi/opentelemetry-operator-otel-allocatorpkg:apk/wolfi/podmanpkg:apk/wolfi/portierispkg:apk/wolfi/prometheus-3.10pkg:apk/wolfi/prometheus-3.11pkg:apk/wolfi/prometheus-3.5pkg:apk/wolfi/prometheus-3.8pkg:apk/wolfi/rancher-2.12pkg:apk/wolfi/rancher-2.13pkg:apk/wolfi/rancher-2.14pkg:apk/wolfi/rancher-agent-2.12pkg:apk/wolfi/rancher-agent-2.13pkg:apk/wolfi/rancher-agent-2.14pkg:apk/wolfi/rancher-machinepkg:apk/wolfi/skopeopkg:apk/wolfi/trivypkg:apk/wolfi/undockpkg:apk/wolfi/zotpkg:rpm/opensuse/docker-stable&distro=openSUSE%20Tumbleweed
< 8.19.17-r0+ 116 more
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 0.48.0-r0
- (no CPE)range: < 0.48.0-r0
- (no CPE)range: < 1.44.0-r0
- (no CPE)range: < 1.44.0-r0
- (no CPE)range: < 1.100.8-r0
- (no CPE)range: < 1.100.8-r0
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 29.5.2-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 1.8.2-r0
- (no CPE)range: < 1.8.2-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 0.151.0-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 8.19.17-r0
- (no CPE)range: < 9.3.6-r0
- (no CPE)range: < 9.4.3-r0
- (no CPE)range: < 2.3.1-r0
- (no CPE)range: < 2.3.1-r0
- (no CPE)range: < 1.12.0-r4
- (no CPE)range: < 3.9.0-r0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 6.0.0-r0
- (no CPE)range: < 6.0.0-r0
- (no CPE)range: < 0.14.1-r0
- (no CPE)range: < 0.14.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.12.11-r0
- (no CPE)range: < 2.13.7-r0
- (no CPE)range: < 2.14.3-r0
- (no CPE)range: < 2.12.11-r0
- (no CPE)range: < 2.13.7-r0
- (no CPE)range: < 2.14.3-r0
- (no CPE)range: < 0.15.0.144-r0
- (no CPE)range: < 1.23.0-r0
- (no CPE)range: < 1.23.0-r0
- (no CPE)range: < 0.70.0-r0
- (no CPE)range: < 0.70.0-r0
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 0.130.0-r0
- (no CPE)range: < 1.16.3-r44
- (no CPE)range: < 2.1.17-r0
- (no CPE)range: < 0.48.0-r0
- (no CPE)range: < 1.44.0-r0
- (no CPE)range: < 7.77.3-r10
- (no CPE)range: < 1.8.2-r0
- (no CPE)range: < 12.3.7-r0
- (no CPE)range: < 12.4.4-r0
- (no CPE)range: < 13.0.2-r0
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: < 2.3.1-r0
- (no CPE)range: < 3.9.0-r0
- (no CPE)range: < 0.154.0-r0
- (no CPE)range: < 6.0.0-r0
- (no CPE)range: < 0.14.1-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.12.11-r0
- (no CPE)range: < 2.13.7-r0
- (no CPE)range: < 2.14.3-r0
- (no CPE)range: < 2.12.11-r0
- (no CPE)range: < 2.13.7-r0
- (no CPE)range: < 2.14.3-r0
- (no CPE)range: < 0.15.0.144-r0
- (no CPE)range: < 1.23.0-r0
- (no CPE)range: < 0.70.0-r0
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 2.1.17-r0
- (no CPE)range: < 24.0.9_ce-18.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.