CVE-2026-33747

High CVSS: 8.4

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Vendor

Mobyproject

Product

Buildkit

CWE

CWE-22

Yayın Tarihi

2026-03-27 01:16:21

Güncelleme

2026-04-01 14:34:48

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Buildkit HIGH Mobyproject 2026

Referanslar

https://github.com/moby/buildkit/releases/tag/v0.28.1 https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj

Benzer Kayıtlar

Medium

CVE-2026-33997

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that all…

High

CVE-2026-34040

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that all…

Medium

CVE-2025-54388

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Conta…

Low

CVE-2025-54410

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Conta…