PatchSiren cyber security CVE debrief
CVE-2026-41567 Moby CVE debrief
CVE-2026-41567 is a high-severity vulnerability in the Moby container framework. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue affects versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14.
- Vendor
- Moby
- Product
- Moby
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of Moby container framework, particularly those who run containers from untrusted images or upload compressed archives into containers.
Technical summary
The vulnerability is caused by the daemon resolving decompression binaries from the container's filesystem rather than the host's due to incorrect ordering of operations. This allows a malicious container image to execute arbitrary code with full daemon privileges.
Defensive priority
High
Recommended defensive actions
- Upgrade to Docker Engine 29.5.1 or moby/moby v2.0.0-beta.14
- Only run containers from trusted images
- Use authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint
- Avoid piping compressed archives into containers created from untrusted images
Evidence notes
The vulnerability has a CVSS score of 7.2 and is classified as HIGH severity.
Official resources
-
CVE-2026-41567 CVE record
CVE.org
-
CVE-2026-41567 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41567 was published on 2026-06-05T02:17:13.817Z and modified on 2026-06-05T16:01:30.983Z.