{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-41567","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-21T14:15:21.957Z","datePublished":"2026-06-05T00:35:50.563Z","dateUpdated":"2026-07-10T12:06:06.578Z"},"containers":{"cna":{"title":"Docker: `PUT /containers/{id}/archive` executes container binary on the host","problemTypes":[{"descriptions":[{"cweId":"CWE-427","lang":"en","description":"CWE-427: Uncontrolled Search Path Element","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r","tags":["x_refsource_CONFIRM"],"url":"https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r"}],"affected":[{"vendor":"moby","product":"moby/v2/daemon","versions":[{"version":"< 2.0.0-beta.14","status":"affected"}]},{"vendor":"moby","product":"Docker Engine","versions":[{"version":"< 29.5.1","status":"affected"}]},{"vendor":"docker","product":"docker/daemon","versions":[{"version":"<= 28.5.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-05T00:35:50.563Z"},"descriptions":[{"lang":"en","value":"Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images"}],"source":{"advisory":"GHSA-x86f-5xw2-fm2r","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-05T13:11:38.173928Z","id":"CVE-2026-41567","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-05T13:11:47.568Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_data_foundation:4.22::el9"],"defaultStatus":"affected","product":"Red Hat Openshift Data Foundation 4.22","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:exploit_intelligence:0"],"defaultStatus":"affected","product":"Exploit Intelligence","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_engine"],"defaultStatus":"affected","product":"Multicluster Engine for Kubernetes","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:source_to_image:1"],"defaultStatus":"affected","product":"OpenShift Source-to-Image (S2I)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2"],"defaultStatus":"affected","product":"Red Hat Advanced Cluster Management for Kubernetes 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:5"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:7"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:8"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ceph_storage:9"],"defaultStatus":"affected","product":"Red Hat Ceph Storage 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_distributed_tracing:3"],"defaultStatus":"affected","product":"Red Hat OpenShift distributed tracing 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub"],"defaultStatus":"unaffected","product":"Multicluster Global Hub","vendor":"Red Hat"}],"datePublic":"2026-06-05T00:35:50.563Z","descriptions":[{"lang":"en","value":"A flaw was found in Moby, the open-source container framework, and Docker Engine. A malicious container image can exploit this vulnerability to achieve arbitrary code execution with full daemon privileges, including host root access. This occurs when a user uploads a compressed archive to the container, as the daemon incorrectly uses decompression binaries from the container's filesystem. This allows an attacker to gain complete control over the affected system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-427","description":"Uncontrolled Search Path Element","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-41567"},{"name":"RHBZ#2485356","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2485356"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41567.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:37387"}],"solutions":[{"lang":"en","value":"RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22"}],"timeline":[{"lang":"en","time":"2026-06-05T02:00:54.488Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-05T00:35:50.563Z","value":"Made public."}],"title":"docker: Moby/Docker Engine: Arbitrary Code Execution via malicious container image and compressed archive upload","workarounds":[{"lang":"en","value":"To mitigate this issue, Red Hat recommends only running containers from trusted images. Additionally, users should avoid piping compressed archives into containers created from untrusted images. For environments utilizing authorization plugins, restricting access to the `PUT /containers/{id}/archive` endpoint can further reduce exposure."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-10T12:06:06.578Z"}}]}}