Critical Docker Engine Vulnerability Exposes Hosts to Arbitrary Code Execution
A critical security vulnerability, identified as CVE-2026-41567, has been disclosed, impacting Docker Engine versions prior to 29.5.1 and moby/moby v2 prior to v2.0.0-beta.14. This flaw enables a malicious container image to achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities. The vulnerability arises when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`. In such scenarios, the Docker daemon incorrectly resolves decompression binaries (like `xz` or `unpigz`) from the container's filesystem instead of the host's, due to an improper ordering of operations. This allows a trojanized decompression binary within a compromised container image to hijack the process and execute arbitrary code on the host.
This vulnerability is highly significant for practitioners because it represents a direct path to host compromise, bypassing container isolation. Unlike typical container escapes that might require further privilege escalation, this flaw grants full daemon privileges, effectively giving an attacker root access to the underlying host. For organizations running Docker in production, especially those allowing users to upload or copy compressed archives into containers, the risk of a complete system takeover is immediate and severe. The ease with which this can be exploited, simply by using a specially crafted container image and a common Docker operation, makes it a high-priority concern for any team managing containerized environments.
The disclosure of CVE-2026-41567 aligns with a broader, well-established trend in cloud and DevOps security: the increasing focus on software supply chain integrity. As container adoption has surged, so too has the attack surface related to container images, registries, and runtime environments. Recent years have seen numerous incidents highlighting the dangers of compromised dependencies, malicious images, and vulnerabilities in container orchestration tools. This Docker Engine flaw underscores that even fundamental components of the container ecosystem are not immune to critical vulnerabilities, reinforcing the need for continuous vigilance and proactive security practices throughout the entire software development lifecycle, from image creation to deployment and runtime.
In practice, practitioners should prioritize updating their Docker Engine installations to version 29.5.1 or moby/moby to v2.0.0-beta.14 immediately. For those unable to update instantly, Amazon's advisory suggests workarounds including running containers only from trusted images, utilizing authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and strictly avoiding piping compressed archives into containers created from untrusted sources. Furthermore, this incident serves as a stark reminder to implement robust image scanning, sign and verify container images, and enforce least privilege principles for both containers and the Docker daemon itself. Regular security audits and staying informed about new CVEs are no longer optional but critical components of a secure container strategy.
Read original source