Bug 2452076 (CVE-2026-33747) - CVE-2026-33747 BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file write and code execution via untrusted frontend
Summary: CVE-2026-33747 BuildKit: github.com/moby/buildkit: BuildKit: Arbitrary file w...
Keywords:
Status: NEW
Alias: CVE-2026-33747
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452182 2452184 2452185 2452188 2452189 2452190 2452191 2452193 2452194 2452196 2452199 2452200 2452201 2452203 2452204 2452183 2452186 2452187 2452192 2452197 2452198 2452202
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 02:01 UTC by OSIDB Bzimport
Modified: 2026-03-27 10:34 UTC (History)
69 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 02:01:54 UTC 
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Note You need to log in before you can comment on or make changes to this bug.