cbcvebase.
CVE-2026-41567
published 2026-06-05

CVE-2026-41567: Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a…

PriorityP342high7.2CVSS 3.1
AVLACHPRLUIRSCCHIHAN
EPSS
0.15%
4.9th percentile
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
anchoresyft
aquasecuritytrivy
buildah_projectbuildah
container-tools_rhel8skopeo
dockerdocker_daemon<= 28.5.2
exploit-intelligence-tech-previewagent-client-rhel9
github.comdocker_docker0 – 28.5.2
github.commoby_moby0 – 28.5.2
github.commoby_moby_v2>= 0 < 2.0.0-beta.142.0.0-beta.14
mobydocker_engine< 29.5.129.5.1
mobymoby_v2_daemon< 2.0.0-beta.142.0.0-beta.14
multicluster-engineassisted-service-8-rhel8
multicluster-engineassisted-service-9-rhel9
multicluster-enginecluster-api-provider-azure-rhel9
multicluster-globalhubmulticluster-globalhub-grafana-rhel9
open-telemetryopentelemetry-collector-contrib
openshift-lightspeedlightspeed-rhel9-operator
openshift4ose-agent-installer-api-server-rhel8
openshift4ose-agent-installer-api-server-rhel9
openshift4ose-azure-cluster-api-controllers-rhel9
openshift4ose-gcp-cluster-api-controllers-rhel9
openshift4ose-openstack-cluster-api-controllers-rhel9
podman_projectpodman
rhacm2acm-grafana-rhel9
rhcephgrafana-rhel10

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.