#1139965 docker.io: CVE-2026-41567

Package:
src:docker.io
Source:
src:docker.io
Submitter:
Salvatore Bonaccorso
Date:
2026-06-24 14:39:01 UTC
Severity:
normal
Tags:
#1139965#5
Date:
2026-06-14 06:10:16 UTC
From:
To:
Hi,

The following vulnerability was published for docker.io.

CVE-2026-41567[0]:
| Moby is an open source container framework. In versions prior to
| 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a
| compressed archive is uploaded to a container via `PUT
| /containers/{id}/archive` or piped through `docker cp -`, the daemon
| resolves decompression binaries (such as `xz` or `unpigz`) from the
| container's filesystem rather than the host's due to incorrect
| ordering of operations. A malicious container image containing a
| trojanized decompression binary can achieve arbitrary code execution
| with full daemon privileges, including host root UID and
| unrestricted capabilities, when a user uploads a compressed (xz or
| gzip) archive into that container. This issue is fixed in Docker
| Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only
| running containers from trusted images, using authorization plugins
| to restrict access to the `PUT /containers/{id}/archive` endpoint,
| and avoiding piping compressed archives into containers created from
| untrusted images


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41567
https://www.cve.org/CVERecord?id=CVE-2026-41567
[1] https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1139965#8
Date:
2026-06-24 10:05:39 UTC
From:
To:
Hello,

Bug #1139965 in docker.io reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/docker/-/commit/2a2caf8dc500bb7cdc642a4fe01ca9817ad8aef0

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1139965
#1139965#13
Date:
2026-06-24 10:05:39 UTC
From:
To:
Hello,

Bug #1139965 in docker.io reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/docker/-/commit/812b28ea9d3f35e0346c1ca60f06778cf099eb0f

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1139965
#1139965#18
Date:
2026-06-24 14:37:04 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139965@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated docker.io package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 11:08:56 -0400
Source: docker.io
Architecture: source
Version: 28.5.2+dfsg4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1139965 1139966 1139967 1140189
Changes:
 docker.io (28.5.2+dfsg4-3) unstable; urgency=medium
 .
   [ Reinhard Tartler ]
   * Backport patch for CVE-2026-41567 (Closes: #1139965)
   * Backport patch for CVE-2026-42306 and CVE-2026-41568,
     (Closes: #1139967, #1139966)
   * Backport patches for CVE-2026-33747 and CVE-2026-33748,
     (Closes: #1140189)
   * Refresh patches
 .
   [ Luca Boccassi ]
   * Install and use sysusers.d config file
   * Drop workaround for versions older than 10 years ago
Checksums-Sha1:
 a4492fc66ef48af7202317158c3d7aa62c9c8b6b 9325 docker.io_28.5.2+dfsg4-3.dsc
 b7f1463911782ab287331df55222eae226f02e17 69684 docker.io_28.5.2+dfsg4-3.debian.tar.xz
Checksums-Sha256:
 3baeba24908ebeb0acbab1fd1fe438dadb5a66b58a8502dda1abfe01fde1d1de 9325 docker.io_28.5.2+dfsg4-3.dsc
 3d68e0e9998983bd290a97fed6943d572e6509bb998ecc97e8d7e9f6891fa591 69684 docker.io_28.5.2+dfsg4-3.debian.tar.xz
Files:
 7e38b307f6d643a2ef526a388b712e71 9325 admin optional docker.io_28.5.2+dfsg4-3.dsc
 4877f12212f525f69b4fc7c70fd932b1 69684 admin optional docker.io_28.5.2+dfsg4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmo74nMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuYWxAAhRgEGy7a6Rz5ROLf4JSFZVIsbedS
9vGMJnUmAwrs5gvNsa7ow4jvgmOjdoMFASNV7qMFig+ZwqCHw32eRomkGnlHXdab
tHTPNxSgck47snF6YH/DsxuDO64tyEcHwlN25vWRRKHqD2SoL58CH8n/YPZLcj2y
VPv9biQUnyJHzRD1V4gvPnE/t7F28B0e01pAEGFrjtDvLbFsXY6P82dN5HD+0QLJ
oBHGlCtPNN3yN27oXfB+ZRA2ulVMj69JYpVxKhAWz7BPXS57I2yTXzP7pnDbckD9
5d5sd09Au9548bEse1obWPo6BQDtXZadHNPW6Wl7Z+ruE0YyXQRWwxhTF8ExQ0ML
2bLJR5suHIJg1HZi3RZBWoAEz8u5fGgqK0sGZSTpz6/n5r/uF1UHJqrACdCYkLNk
RY08WBmHvzncuNPM5s/XxPdSuktyTsBq2ALaM/fGuKD8WD3Nn1CLIniRQisJ73iN
gDLpkgJW6abhmu1lMlqCxh3wwwec+BDi0+47iHknes8leN4hy5i2bzdOar5NMAhY
XD7W09qoG+9V8yeKrGU3WMD2P4kN8p/l2FVCCa5XbDdj2PMGIq567kKao3WJD3lH
QJS1JpZe5nCCIDRcayPraVbdpDWYYTv5I0EiZ/0KPf2E1xm0USsHK+FwjM0Q7Poa
umEtR1SLRHYGODA=
=NMPh
-----END PGP SIGNATURE-----