CVE
CVE-2026-33747
BuildKit's Malicious frontend can cause file escape outside of storage root
Impact
When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context.
Patches
The issue has been fixed in v0.28.1+
Workarounds
Issue requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.4
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
8.4
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Related Resources
No items found.
References
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj, https://nvd.nist.gov/vuln/detail/CVE-2026-33747, https://github.com/moby/buildkit, https://github.com/moby/buildkit/releases/tag/v0.28.1
Basic Information
Ecosystem
