VDB
CVE-2026-33747
CVE-2026-33747
PUBLISHED
CVSS 8.399999618530273 HIGH
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
EPSS 0.06% · 19.8th percentile
Risk Scores
CVSS 3.1
8.399999618530273
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.06%
19.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | moby/buildkit | 0, 0, 0 |
| mobyproject | buildkit | 0 |
| moby | buildkit | *, < 0.28.1, < 0.28.1 |
Exploit Intelligence
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- CIRCL seen: CVE-2026-33747 (circl-sighting)
- https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj (circl)
- https://github.com/moby/buildkit/releases/tag/v0.28.1 (circl)
Timeline
- Mar 26, 2026 CVE Published
- Mar 27, 2026 CVE Updated
- Mar 27, 2026 Coalition ESS Score
- Mar 27, 2026 PoC Published
- Mar 27, 2026 PoC Published
- Mar 27, 2026 Security Advisory
- Mar 28, 2026 EPSS Score
- Mar 28, 2026 PoC Published
- Apr 1, 2026 PoC Published
- Apr 11, 2026 PoC Published
- May 6, 2026 PoC Published
- May 18, 2026 EPSS Score