CVE-2026-41567
published 2026-06-05CVE-2026-41567: Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a…
PriorityP342high7.2CVSS 3.1
AVLACHPRLUIRSCCHIHAN
EPSS
0.15%
4.9th percentile
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anchore | syft | — | — |
| aquasecurity | trivy | — | — |
| buildah_project | buildah | — | — |
| container-tools_rhel8 | skopeo | — | — |
| docker | docker_daemon | <= 28.5.2 | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| github.com | docker_docker | 0 – 28.5.2 | — |
| github.com | moby_moby | 0 – 28.5.2 | — |
| github.com | moby_moby_v2 | >= 0 < 2.0.0-beta.14 | 2.0.0-beta.14 |
| moby | docker_engine | < 29.5.1 | 29.5.1 |
| moby | moby_v2_daemon | < 2.0.0-beta.14 | 2.0.0-beta.14 |
| multicluster-engine | assisted-service-8-rhel8 | — | — |
| multicluster-engine | assisted-service-9-rhel9 | — | — |
| multicluster-engine | cluster-api-provider-azure-rhel9 | — | — |
| multicluster-globalhub | multicluster-globalhub-grafana-rhel9 | — | — |
| open-telemetry | opentelemetry-collector-contrib | — | — |
| openshift-lightspeed | lightspeed-rhel9-operator | — | — |
| openshift4 | ose-agent-installer-api-server-rhel8 | — | — |
| openshift4 | ose-agent-installer-api-server-rhel9 | — | — |
| openshift4 | ose-azure-cluster-api-controllers-rhel9 | — | — |
| openshift4 | ose-gcp-cluster-api-controllers-rhel9 | — | — |
| openshift4 | ose-openstack-cluster-api-controllers-rhel9 | — | — |
| podman_project | podman | — | — |
| rhacm2 | acm-grafana-rhel9 | — | — |
| rhceph | grafana-rhel10 | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
vendor_redhat·2026-06-05·CVSS 7.2
CVE-2026-41567 [HIGH] CWE-427 docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is
GHSA
Docker: `PUT /containers/{id}/archive` executes container binary on the host
ghsa·2026-05-18
CVE-2026-41567 [HIGH] CWE-427 Docker: `PUT /containers/{id}/archive` executes container binary on the host
Docker: `PUT /containers/{id}/archive` executes container binary on the host
## Summary
When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges.
## Details
When handling `PUT /containers/{id}/archive` requests with compressed archives, the daemon decompresses them using external system binaries. Due to incorrect ordering of operations, these binaries are resolved from the container's filesystem rather than the host's. A container image that includes a trojanized decompression binary can achieve code execution as the daemon process whenever a compressed archive is uploaded to that container.
The executed binary runs with the daemon's full privileges, including host root UID and unrestricted capabilities.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41567 inspektor-gadget: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 inspektor-gadget: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 inspektor-gadget: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 headscale: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 headscale: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 headscale: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 k9s: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 k9s: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 k9s: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Not sure how this is relevant for k9s since moby is used as a indirect dependency and the issue lies in the docker daemon not docker client...
Bugzilla
CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 trivy: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 trivy: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 trivy: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
CVE-2026-41567 prometheus: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 docker-buildx: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 docker-buildx: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 docker-buildx: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 singularity-ce: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 apptainer: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 docker-compose: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 docker-compose: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 docker-compose: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 moby-engine: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 moby-engine: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 moby-engine: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
moby 29.5.3 is current release in Fedora with v29.6.0 in progress
Bugzilla
CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 nuclei: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 jfrog-cli: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 jfrog-cli: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 jfrog-cli: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
bugzilla·2026-06-26·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
CVE-2026-41567 openbao: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41567 docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
bugzilla·2026-06-05·CVSS 7.2
CVE-2026-41567 [HIGH] CVE-2026-41567 docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
CVE-2026-41567 docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container.
2026-06-05
Published