CVE-2026-33747
HIGHBuildKit vulnerable to malicious frontend causing file escape outside of storage root
Title source: cnaDescription
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj
X_Refsource_Misc x_refsource_misc
https://github.com/moby/buildkit/releases/tag/v0.28.1
Scores
CVSS v3
8.4
EPSS
0.0050
EPSS Percentile
38.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (3)
moby/buildkit
0 - 0.28.1Go
moby/buildkit
< 0.28.1
mobyproject/buildkit
< 0.28.1
Published
Mar 27, 2026
Tracked Since
Mar 27, 2026