util/binfmt_misc/check.go in moby buildkit calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
External References: https://github.com/moby/buildkit/pull/1462 https://github.com/moby/moby/pull/40877
Originally I thought this might apply to linux fixing the check function, but not so. This vulnerability only relates to the Windows environment. Windows doesn't support binfmt and the check command, but the library assumes it's there and attempts to execute it.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27534