CVE-2026-33747

HIGH8.4EPSS 0.06%

BuildKit's Malicious frontend can cause file escape outside of storage root

發布日:2026/3/26修改日:2026/3/27

也稱為:GHSA-4c29-8rgm-jvjjCGA-24vx-jj57-3w5cGO-2026-4858

描述

### Impact When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. ### Patches The issue has been fixed in v0.28.1+ ### Workarounds Issue requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

受影響套件(3)

Debian/docker.iofrom 0
Go/github.com/moby/buildkitfrom 0, < 0.28.1
Go/github.com/moby/buildkitfrom 0, < 0.28.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33747
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-33747
PATCHhttps://github.com/moby/buildkit
WEBhttps://github.com/moby/buildkit/releases/tag/v0.28.1
WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj