CVE-2026-41567 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-41567/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 17:47:42 +0000Docker `PUT /containers/{id}/archive` Vulnerability Allows Host Root Code Executionhttps://feed.craftedsignal.io/briefs/2026-05-docker-archive-rce/Mon, 18 May 2026 17:47:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-docker-archive-rce/A vulnerability exists in Docker where a malicious container image can execute arbitrary code with host root privileges by exploiting the decompression of compressed archives uploaded via the `PUT /containers/{id}/archive` endpoint, tracked as CVE-2026-41567.A vulnerability, identified as CVE-2026-41567, exists in Docker related to the handling of compressed archives uploaded via the PUT /containers/{id}/archive endpoint. When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges. The vulnerability stems from the Docker daemon incorrectly resolving decompression binaries from the container’s filesystem instead of the host’s when handling PUT /containers/{id}/archive requests with compressed archives. This allows a container image containing a trojanized decompression binary (e.g., xz or gzip) to achieve code execution as the daemon process whenever a compressed archive is uploaded to that container. This issue affects Docker versions up to 28.5.2, moby/moby versions up to 28.5.2, and go/github.com/moby/moby/v2 versions prior to 2.0.0-beta.14.

Attack Chain

  1. An attacker crafts a malicious Docker image containing a trojanized decompression binary (e.g., xz or gzip).
  2. The attacker deploys the malicious Docker image to a system.
  3. A user runs a container from the malicious image.
  4. The user uploads a compressed archive (either xz or gzip) into the container. This can be achieved by piping a compressed archive via docker cp - or by calling the PUT /containers/{id}/archive API directly with compressed content.
  5. When processing the PUT /containers/{id}/archive request, the Docker daemon attempts to decompress the archive.
  6. Due to the vulnerability, the Docker daemon executes the trojanized decompression binary from within the container’s filesystem instead of using a trusted host binary.
  7. The trojanized decompression binary executes arbitrary code with the privileges of the Docker daemon, which includes host root privileges.
  8. The attacker gains control of the host system.

Impact

Successful exploitation of this vulnerability leads to arbitrary code execution as host root, effectively bypassing the container-to-host trust boundary. This allows an attacker to gain full control of the host system, potentially leading to data exfiltration, system compromise, or other malicious activities.

Recommendation

  • Upgrade to Docker version 28.5.3 or later to remediate CVE-2026-41567.
  • Apply available patches for go/github.com/moby/moby/v2 before version 2.0.0-beta.14 to remediate CVE-2026-41567.
  • Implement authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, as recommended in the overview.
  • Avoid piping compressed archives into containers created from untrusted images, as discussed in the conditions for exploitation.
]]>highthreatdockercontainerrceprivilege-escalationCVE-2026-41567