HIGH 7.2

CVE-2026-41567: Moby Container Privilege Escalation via Malicious Archive Decompression

A critical weakness in Moby (the open-source container runtime underlying Docker) allows a malicious container to execute code with full daemon privileges—potentially gaining root access to the host system. The vulnerability occurs when compressed files are uploaded into a container using `docker cp` or the API endpoint `PUT /containers/{id}/archive`. Instead of using decompression tools from the host system, Moby incorrectly uses tools from inside the container itself. If a container image contains a trojanized decompression binary (like xz or unpigz), attackers can exploit this ordering mistake to run arbitrary commands with daemon-level privileges. Versions before Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-427
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-07-10

NVD description (verbatim)

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41567 stems from improper path resolution in the archive decompression workflow within Moby. When users push compressed archives into containers via `PUT /containers/{id}/archive` or `docker cp`, the daemon must decompress the payload before extracting it into the target container. The vulnerability exists because the daemon searches for decompression binaries (xz, gzip, unpigz) within the container's filesystem namespace before consulting the host's PATH. This inverted lookup order allows a container with a malicious decompression tool to intercept the operation and execute code in the daemon's context. The weakness maps to CWE-427 (Uncontrolled Search Path Element), a path traversal/hijacking class vulnerability. The CVSS 3.1 score of 7.2 (HIGH) reflects the need for local access and user interaction (file upload) as preconditions, but the impact—unrestricted code execution as root—is severe.

Business impact

Organizations using Docker or Moby face a privilege escalation risk if developers or operators work with container images from untrusted sources or compromised registries. The attack scenario is realistic: a seemingly legitimate image containing a backdoored decompression tool could be pulled from a public registry, and subsequent file uploads to the container would trigger arbitrary code execution on the host with daemon privileges. For CI/CD pipelines, this could lead to supply chain compromise. Kubernetes deployments are at particular risk if admission controls do not restrict image sources. The impact extends beyond individual containers to the entire cluster infrastructure, since daemon privileges allow lateral movement and host takeover.

Affected systems

Affected versions include Docker Engine versions prior to 29.5.1 and moby/moby v2 prior to v2.0.0-beta.14. Any system running a vulnerable Moby version is at risk if it accepts container archives from untrusted sources. This includes Docker Desktop, Docker Engine Community, Docker Engine Enterprise, and standalone Moby deployments. Systems using older stable branches (e.g., Docker 20.x, 23.x) that have not yet patched to 29.5.1 are vulnerable. Kubernetes clusters, container orchestration platforms, and development machines where developers routinely use `docker cp` are particularly exposed.

Exploitability

Exploitation requires user interaction (a developer or operator must upload a compressed archive into the container) and local access or ability to supply a malicious image. The attack is not remotely exploitable through the Docker API alone; the threat actor must either control the image in the registry or compromise a developer's build pipeline. However, given the prevalence of container image reuse and supply chain vulnerabilities, the practical bar for exploitation is moderate. No public exploit code is known, but the vulnerability class (uncontrolled search path) is well-understood and relatively straightforward to weaponize. Red team exercises and advanced adversaries would likely prioritize this for lateral movement once inside a container environment.

Remediation

Apply Docker Engine 29.5.1 or later, and update moby/moby to v2.0.0-beta.14 or newer. For environments unable to patch immediately, implement compensating controls: restrict access to the `PUT /containers/{id}/archive` endpoint using authorization plugins or API gateway rules; use admission controllers (Kubernetes PodSecurityPolicies or OPA/Gatekeeper) to enforce image source whitelisting; enforce image scanning for malicious binaries in decompression tools; and educate teams to avoid running containers from untrusted images and to be cautious with `docker cp` operations on unfamiliar images.

Patch guidance

Update Docker Engine to version 29.5.1 or later. For moby/moby users, upgrade to v2.0.0-beta.14 or newer. Verify the update in your environment by running `docker --version` and confirming the version number. After patching, restart the Docker daemon and any affected containers. In Kubernetes environments, rolling updates of container runtime versions should follow your standard change management process. Test the patch in a non-production environment first to ensure compatibility with your applications. For organizations on extended support versions (Docker 20.x, 23.x), contact your vendor to confirm EoL status and available patch windows; these older branches may not receive updates and may require migration to newer release channels.

Detection guidance

Monitor for suspicious `docker cp` or API calls to `PUT /containers/{id}/archive` from unexpected users or automation. Implement file integrity monitoring (FIM) on host systems to detect unauthorized writes to container directories and host filesystems during archive operations. Log and audit all container image pulls, especially from public registries; cross-reference against your org's approved image list. Watch for anomalous process execution within containers during file uploads—specifically, unexpected invocations of decompression tools (xz, gzip, unpigz) in container contexts. Enable Docker daemon audit logs (via `--log-driver=splunk` or similar) and correlate with system-level process accounting. Threat intelligence feeds may surface indicators of compromise from malicious images; integrate these into your image scanning pipeline.

Why prioritize this

This vulnerability merits HIGH priority because it enables unauthenticated privilege escalation to daemon/root level, affects foundational container infrastructure, and exploits a common operational workflow (file uploads to containers). The low barrier to weaponization (trojanized binary in a container image) combined with the potential for supply chain compromise makes it a credible risk in environments using untrusted or semi-trusted images. While it does require user action, that action (uploading files, pulling images) is routine in many organizations. Patch availability exists, making remediation straightforward; delaying patching increases exposure window.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH) accurately reflects the severity. The Attack Vector is Local (AV:L) because exploitation requires running a malicious container or pushing a malicious image to a system where uploads will occur; pure remote exploitation is not possible. Attack Complexity is High (AC:H) because the attacker must craft a specific trojanized binary matching the target decompression tool and ensure the container is invoked with archive operations. Privileges Required is Low (PR:L) because any user with permission to upload archives or create containers can trigger the flaw. User Interaction is Required (UI:R) because the user must actively upload a file or run `docker cp`. The Scope is Changed (S:C) because the impact (daemon code execution) affects resources beyond the container. Confidentiality and Integrity impacts are High (C:H, I:H) due to full code execution. Availability is None (A:N) because the vulnerability does not directly cause unavailability. The score appropriately balances the severe impact against the non-trivial preconditions.

Frequently asked questions

Can this vulnerability be exploited if I only pull images from Docker Hub official repositories?

Official and verified publisher images undergo security scanning and are less likely to contain intentional malicious binaries. However, this is not a guarantee. Best practice is to combine image source restrictions with runtime scanning tools (Trivy, Anchore) that inspect decompression binaries and other suspicious artifacts within images.

Does using a read-only rootfs in Kubernetes protect against this vulnerability?

A read-only rootfs does not fully protect against this vulnerability because the attack occurs during the decompression phase in the daemon process, not within the container. The threat is to the host daemon, not the container filesystem. However, read-only rootfs is still a valuable defense-in-depth control for limiting other container escape routes.

If I'm on Docker 23.x and my vendor hasn't released a 29.5.1 backport, what should I do?

Contact your Docker/vendor support to understand the patch timeline. In the interim, apply compensating controls: restrict `PUT /containers/{id}/archive` API access via authorization plugins, avoid uploading archives to untrusted images, and enforce image scanning in your CI/CD pipeline. Consider migrating to Docker 29.5.1 or later if you cannot wait for a backport.

Can a Kubernetes NetworkPolicy or RBAC policy prevent this vulnerability?

RBAC can restrict which users or service accounts can create containers or call the archive API, which is helpful. However, NetworkPolicy operates at the network layer and does not prevent local API calls within the cluster. Use Pod Security Standards, admission controllers, and image source whitelisting as primary defenses alongside patching.

This analysis is provided for informational purposes only and does not constitute legal, security, or professional advice. The information reflects the vulnerability as documented as of the published date and is subject to change as additional details emerge. Organizations should verify all patch versions against official vendor advisories before deployment. No exploit code or weaponized proof-of-concept techniques are provided herein. The risk score and severity assessment are based on publicly available CVSS data and threat modeling; actual risk in your environment may differ based on asset inventory, image policies, and operational practices. Consult your security team and vendor documentation for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).