DEBIAN-CVE-2026-33747

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33747

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33747.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33747

Upstream

CVE-2026-33747

Published

2026-03-27T01:16:21.330Z

Modified

2026-05-14T12:00:16.380997Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.

References

https://security-tracker.debian.org/tracker/CVE-2026-33747

Affected packages

Debian:11 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.5+dfsg1-1

20.10.5+dfsg1-1+deb11u1

20.10.5+dfsg1-1+deb11u2

20.10.5+dfsg1-1+deb11u3

20.10.5+dfsg1-1+deb11u4

20.10.8+dfsg1-1

20.10.8+dfsg1-2

20.10.10+dfsg1-1

20.10.11+dfsg1-1

20.10.11+dfsg1-2

20.10.14+dfsg1-1

20.10.17+dfsg1-1

20.10.19+dfsg1-1

20.10.21+dfsg1-1

20.10.22+dfsg1-1

20.10.22+dfsg1-2

20.10.23+dfsg1-1

20.10.24+dfsg1-1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

26.1.5+dfsg1-5

26.1.5+dfsg1-6

26.1.5+dfsg1-7

26.1.5+dfsg1-8

26.1.5+dfsg1-9

26.1.5+dfsg1-10

27.*

27.5.1+dfsg1-1

27.5.1+dfsg1-2

27.5.1+dfsg2-1

27.5.1+dfsg3-1

27.5.1+dfsg3-2

27.5.1+dfsg3-3

27.5.1+dfsg3-4

27.5.1+dfsg3-5

27.5.1+dfsg3-6

27.5.1+dfsg4-1

27.5.1+dfsg4-2

28.*

28.5.2+dfsg1-1

28.5.2+dfsg2-1

28.5.2+dfsg3-1

28.5.2+dfsg3-2

28.5.2+dfsg4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33747.json"

Debian:12 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.10.24+dfsg1-1

20.10.24+dfsg1-1+deb12u1

20.10.25+dfsg1-1

20.10.25+dfsg1-2

20.10.25+dfsg1-3

20.10.25+dfsg1-4

26.*

26.1.4+dfsg1-1

26.1.4+dfsg1-2

26.1.4+dfsg1-3

26.1.4+dfsg1-4

26.1.4+dfsg1-5

26.1.4+dfsg1-6

26.1.4+dfsg1-7

26.1.4+dfsg1-8

26.1.4+dfsg1-9

26.1.4+dfsg2-1

26.1.4+dfsg3-1

26.1.5+dfsg1-1

26.1.5+dfsg1-2

26.1.5+dfsg1-3

26.1.5+dfsg1-4

26.1.5+dfsg1-5

26.1.5+dfsg1-6

26.1.5+dfsg1-7

26.1.5+dfsg1-8

26.1.5+dfsg1-9

26.1.5+dfsg1-10

27.*

27.5.1+dfsg1-1

27.5.1+dfsg1-2

27.5.1+dfsg2-1

27.5.1+dfsg3-1

27.5.1+dfsg3-2

27.5.1+dfsg3-3

27.5.1+dfsg3-4

27.5.1+dfsg3-5

27.5.1+dfsg3-6

27.5.1+dfsg4-1

27.5.1+dfsg4-2

28.*

28.5.2+dfsg1-1

28.5.2+dfsg2-1

28.5.2+dfsg3-1

28.5.2+dfsg3-2

28.5.2+dfsg4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33747.json"

Debian:13 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

26.*

26.1.5+dfsg1-9

26.1.5+dfsg1-10

27.*

27.5.1+dfsg1-1

27.5.1+dfsg1-2

27.5.1+dfsg2-1

27.5.1+dfsg3-1

27.5.1+dfsg3-2

27.5.1+dfsg3-3

27.5.1+dfsg3-4

27.5.1+dfsg3-5

27.5.1+dfsg3-6

27.5.1+dfsg4-1

27.5.1+dfsg4-2

28.*

28.5.2+dfsg1-1

28.5.2+dfsg2-1

28.5.2+dfsg3-1

28.5.2+dfsg3-2

28.5.2+dfsg4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33747.json"

Debian:14 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

26.*

26.1.5+dfsg1-9

26.1.5+dfsg1-10

27.*

27.5.1+dfsg1-1

27.5.1+dfsg1-2

27.5.1+dfsg2-1

27.5.1+dfsg3-1

27.5.1+dfsg3-2

27.5.1+dfsg3-3

27.5.1+dfsg3-4

27.5.1+dfsg3-5

27.5.1+dfsg3-6

27.5.1+dfsg4-1

27.5.1+dfsg4-2

28.*

28.5.2+dfsg1-1

28.5.2+dfsg2-1

28.5.2+dfsg3-1

28.5.2+dfsg3-2

28.5.2+dfsg4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33747.json"