PT-2026-41765 · Docker+1 · Docker+1

Osidb Bzimport

·

Published

2026-05-18

·

Updated

2026-07-02

·

CVE-2026-41567

CVSS v3.1

7.5

High

VectorAV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Docker (affected versions not specified)
Description When handling 'PUT /containers/{id}/archive' requests with compressed archives, the daemon decompresses them using external system binaries. Due to incorrect operation ordering, these binaries are resolved from the container filesystem instead of the host filesystem. A container image containing a trojanized decompression binary can achieve arbitrary code execution with daemon privileges, including host root UID and unrestricted capabilities, crossing the container-to-host trust boundary. This occurs when a user runs a container from a malicious image and uploads a compressed archive (xz or gzip) via the 'PUT /containers/{id}/archive' API or by piping a compressed archive through docker cp -.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Only run containers from trusted images. Use authorization plugins to limit access to the 'PUT /containers/{id}/archive' endpoint. Avoid piping compressed archives into containers created from untrusted images.

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41567
GHSA-X86F-5XW2-FM2R
GO-2026-5746
OPENSUSE-SU-2026:11075-1
OPENSUSE-SU-2026:11144-1
OPENSUSE-SU-2026:21060-1
OPENSUSE-SU-2026:21205-1
SUSE-SU-2026:22285-1
SUSE-SU-2026:22367-1
SUSE-SU-2026:2692-1

Affected Products

Docker
Red Os