Bug 2452076 (CVE-2026-33747)

Summary: CVE-2026-33747 BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, alcohan, anjoseph, bdettelb, crizzo, derez, dfreiber, dhanak, doconnor, drosa, drow, dschmidt, dsimansk, dymurray, eglynn, erezende, gparvin, ibolton, jbalunas, jburrell, jcantril, jjoyce, jkoehler, jlanda, jmatthew, jmontleo, jprabhak, jsamir, jschluet, kbempah, kingland, kshier, kverlaen, lball, lgamliel, lhh, ljawale, lphiri, luizcosta, manissin, mburns, mgarciac, mnovotny, ngough, nweather, pahickey, pakotvan, pgaikwad, rbobbitt, rfreiman, rhaigner, rjohnson, rojacob, sakbas, sausingh, sdawley, simaishi, slucidi, smcdonal, solenoci, sseago, stcannon, sthirugn, teagle, veshanka, vkumar, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in BuildKit, a toolkit for converting source code to build artifacts. An untrusted BuildKit frontend can be leveraged to craft a malicious API message, allowing files to be written outside of the designated BuildKit state directory. This vulnerability, which is a form of arbitrary file write, could enable an attacker to execute unauthorized code or escalate their privileges on the system. This issue arises when custom BuildKit frontends are used with specific configuration options.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452182, 2452184, 2452185, 2452188, 2452189, 2452190, 2452191, 2452193, 2452194, 2452196, 2452199, 2452200, 2452201, 2452203, 2452204, 2452183, 2452186, 2452187, 2452192, 2452197, 2452198, 2452202    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 02:01:54 UTC 
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.