The container plugin's go-worker depends on github.com/docker/docker v28.5.2+incompatible which is affected by:
- CVE-2026-34040 (HIGH) — Moby AuthZ plugin bypass. Fixed in v29.3.1.
- CVE-2026-33997 (MEDIUM) — Off-by-one error in plugin privilege validation. Fixed in v29.3.1.
Both vulnerabilities are flagged by Trivy and Grype when scanning libcontainer.so.
How to reproduce it
- Build the container plugin from main or use release v0.7.0
- Scan the resulting libcontainer.so with Trivy or Grype
- Observe CVE-2026-34040 and CVE-2026-33997 reported against github.com/docker/docker v28.5.2+incompatible
Expected behaviour
The container plugin should use github.com/docker/docker v29.3.1 or later (currently v29.4.3 is the latest stable) which contains fixes for both CVEs.
Screenshots
N/A
Environment
- Falco version: 0.43.1
- Plugin: container v0.7.0 (also affects main branch)
- The issue is in plugins/container/go-worker/go.mod
Additional context
The fix is a dependency bump in plugins/container/go-worker/go.mod:
github.com/docker/docker v28.5.2+incompatible → v29.4.3+incompatible
Moby v29.3.1 was released in April 2026 and the current stable is v29.4.3. The vulnerable dependency is present in both the latest release (v0.7.0, 2026-05-04) and the current
main branch.
References:
The container plugin's go-worker depends on github.com/docker/docker v28.5.2+incompatible which is affected by:
Both vulnerabilities are flagged by Trivy and Grype when scanning libcontainer.so.
How to reproduce it
Expected behaviour
The container plugin should use github.com/docker/docker v29.3.1 or later (currently v29.4.3 is the latest stable) which contains fixes for both CVEs.
Screenshots
N/A
Environment
Additional context
The fix is a dependency bump in plugins/container/go-worker/go.mod:
github.com/docker/docker v28.5.2+incompatible → v29.4.3+incompatible
Moby v29.3.1 was released in April 2026 and the current stable is v29.4.3. The vulnerable dependency is present in both the latest release (v0.7.0, 2026-05-04) and the current
main branch.
References: