Source: docker.io
Version: 28.5.2+dfsg4-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for docker.io.
CVE-2026-41567[0]:
| Moby is an open source container framework. In versions prior to
| 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a
| compressed archive is uploaded to a container via `PUT
| /containers/{id}/archive` or piped through `docker cp -`, the daemon
| resolves decompression binaries (such as `xz` or `unpigz`) from the
| container's filesystem rather than the host's due to incorrect
| ordering of operations. A malicious container image containing a
| trojanized decompression binary can achieve arbitrary code execution
| with full daemon privileges, including host root UID and
| unrestricted capabilities, when a user uploads a compressed (xz or
| gzip) archive into that container. This issue is fixed in Docker
| Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only
| running containers from trusted images, using authorization plugins
| to restrict access to the `PUT /containers/{id}/archive` endpoint,
| and avoiding piping compressed archives into containers created from
| untrusted images
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41567
https://www.cve.org/CVERecord?id=CVE-2026-41567
[1] https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
