{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/docker--28.5.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Docker (\u003c= 28.5.2)","moby/moby (\u003c= 28.5.2)","moby/moby/v2 (\u003c 2.0.0-beta.14)"],"_cs_severities":["high"],"_cs_tags":["docker","container","rce","privilege-escalation","CVE-2026-41567"],"_cs_type":"threat","_cs_vendors":["Docker","Moby"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-41567, exists in Docker related to the handling of compressed archives uploaded via the \u003ccode\u003ePUT /containers/{id}/archive\u003c/code\u003e endpoint. When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges. The vulnerability stems from the Docker daemon incorrectly resolving decompression binaries from the container\u0026rsquo;s filesystem instead of the host\u0026rsquo;s when handling \u003ccode\u003ePUT /containers/{id}/archive\u003c/code\u003e requests with compressed archives. This allows a container image containing a trojanized decompression binary (e.g., xz or gzip) to achieve code execution as the daemon process whenever a compressed archive is uploaded to that container. This issue affects Docker versions up to 28.5.2, moby/moby versions up to 28.5.2, and go/github.com/moby/moby/v2 versions prior to 2.0.0-beta.14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Docker image containing a trojanized decompression binary (e.g., \u003ccode\u003exz\u003c/code\u003e or \u003ccode\u003egzip\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious Docker image to a system.\u003c/li\u003e\n\u003cli\u003eA user runs a container from the malicious image.\u003c/li\u003e\n\u003cli\u003eThe user uploads a compressed archive (either xz or gzip) into the container. This can be achieved by piping a compressed archive via \u003ccode\u003edocker cp -\u003c/code\u003e or by calling the \u003ccode\u003ePUT /containers/{id}/archive\u003c/code\u003e API directly with compressed content.\u003c/li\u003e\n\u003cli\u003eWhen processing the \u003ccode\u003ePUT /containers/{id}/archive\u003c/code\u003e request, the Docker daemon attempts to decompress the archive.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the Docker daemon executes the trojanized decompression binary from within the container\u0026rsquo;s filesystem instead of using a trusted host binary.\u003c/li\u003e\n\u003cli\u003eThe trojanized decompression binary executes arbitrary code with the privileges of the Docker daemon, which includes host root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to arbitrary code execution as host root, effectively bypassing the container-to-host trust boundary. This allows an attacker to gain full control of the host system, potentially leading to data exfiltration, system compromise, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Docker version 28.5.3 or later to remediate CVE-2026-41567.\u003c/li\u003e\n\u003cli\u003eApply available patches for \u003ccode\u003ego/github.com/moby/moby/v2\u003c/code\u003e before version 2.0.0-beta.14 to remediate CVE-2026-41567.\u003c/li\u003e\n\u003cli\u003eImplement authorization plugins to restrict access to the \u003ccode\u003ePUT /containers/{id}/archive\u003c/code\u003e endpoint, as recommended in the overview.\u003c/li\u003e\n\u003cli\u003eAvoid piping compressed archives into containers created from untrusted images, as discussed in the conditions for exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:47:42Z","date_published":"2026-05-18T17:47:42Z","id":"https://feed.craftedsignal.io/briefs/2026-05-docker-archive-rce/","summary":"A vulnerability exists in Docker where a malicious container image can execute arbitrary code with host root privileges by exploiting the decompression of compressed archives uploaded via the `PUT /containers/{id}/archive` endpoint, tracked as CVE-2026-41567.","title":"Docker `PUT /containers/{id}/archive` Vulnerability Allows Host Root Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-docker-archive-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Docker (\u003c= 28.5.2)","version":"https://jsonfeed.org/version/1.1"}