Moby: Off-by-one error in plugin privilege validation
Summary
| CVE | CVE-2026-33997 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-31 03:15:57 UTC |
| Updated | 2026-06-30 03:18:49 UTC |
| Description | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS: 0.003870000 probability, percentile 0.306710000 (date 2026-07-02)
Problem Types: CWE-193 | CWE-266 | CWE-193 CWE-193: Off-by-one Error | CWE-266 Incorrect Privilege Assignment
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 8.4 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.4 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Moby | Moby | affected < 29.3.1 | Not specified |
| ADP | Red Hat | Multicluster Global Hub 1.4.5 | Not specified | Not specified |
| ADP | Red Hat | Multicluster Global Hub 1.5.4 | Not specified | Not specified |
| ADP | Red Hat | Multicluster Global Hub 1.6.2 | Not specified | Not specified |
| ADP | Red Hat | Multicluster Engine For Kubernetes | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Virtualization 4 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-33997 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9 | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:21769 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23345 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22347 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33997.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/moby/moby/releases/tag/docker-v29.3.1 | [email protected] | github.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-31T03:01:29.529Z | Reported to Red Hat. |
| ADP | 2026-03-31T01:36:51.404Z | Made public. |
Solutions
ADP: RHSA-2026:22347: Multicluster Global Hub 1.4.5
ADP: RHSA-2026:21769: Multicluster Global Hub 1.5.4
ADP: RHSA-2026:23345: Multicluster Global Hub 1.6.2
There are currently no legacy QID mappings associated with this CVE.