USN-8230-1
- Source
- https://ubuntu.com/security/notices/USN-8230-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8230-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8230-1
- Upstream
- Related
- Published
- 2026-05-06T03:28:52Z
- Modified
- 2026-05-07T14:14:22.073092095Z
- Summary
- docker.io-app vulnerabilities
- Details
-
It was discovered that BuildKit, contained within Docker, incorrectly handled file path validation when processing frontend API messages. An attacker could possibly use this issue to write files outside of the intended state directory. (CVE-2026-33747)
It was discovered that BuildKit, contained within Docker, incorrectly validated the subdir component of Git URL fragments. An attacker could possibly use this issue to access files outside of the checked-out repository root. (CVE-2026-33748)
- References
Affected packages
Ubuntu:Pro:20.04:LTS / docker.io-app
Package
- Name
- docker.io-app
- Purl
- pkg:deb/ubuntu/docker.io-app@26.1.3-0ubuntu1~20.04.1+esm2?arch=source&distro=esm-apps/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed26.1.3-0ubuntu1~20.04.1+esm2
Affected versions
20.*
20.10.25-0ubuntu1~20.04.1
20.10.25-0ubuntu1~20.04.2
24.*
24.0.5-0ubuntu1~20.04.1
24.0.7-0ubuntu2~20.04.1
26.*
26.1.3-0ubuntu1~20.04.1
26.1.3-0ubuntu1~20.04.1+esm1
Ecosystem specific
{
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "docker.io",
"binary_version": "26.1.3-0ubuntu1~20.04.1+esm2"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-33747",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-33748",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8230-1.json"
Ubuntu:22.04:LTS / docker.io-app
Package
- Name
- docker.io-app
- Purl
- pkg:deb/ubuntu/docker.io-app@29.1.3-0ubuntu3~22.04.2?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed29.1.3-0ubuntu3~22.04.2
Affected versions
20.*
20.10.25-0ubuntu1~22.04.1
20.10.25-0ubuntu1~22.04.2
24.*
24.0.5-0ubuntu1~22.04.1
24.0.7-0ubuntu2~22.04.1
26.*
26.1.3-0ubuntu1~22.04.1
27.*
27.5.1-0ubuntu3~22.04.1
27.5.1-0ubuntu3~22.04.2
28.*
28.2.2-0ubuntu1~22.04.1
29.*
29.1.3-0ubuntu3~22.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "docker.io",
"binary_version": "29.1.3-0ubuntu3~22.04.2"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-33747",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-33748",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8230-1.json"
Ubuntu:24.04:LTS / docker.io-app
Package
- Name
- docker.io-app
- Purl
- pkg:deb/ubuntu/docker.io-app@29.1.3-0ubuntu3~24.04.2?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed29.1.3-0ubuntu3~24.04.2
Affected versions
24.*
24.0.5-0ubuntu1
24.0.7-0ubuntu1
24.0.7-0ubuntu2
24.0.7-0ubuntu3
24.0.7-0ubuntu4
24.0.7-0ubuntu4.1
26.*
26.1.3-0ubuntu1~24.04.1
27.*
27.5.1-0ubuntu3~24.04.1
27.5.1-0ubuntu3~24.04.2
28.*
28.2.2-0ubuntu1~24.04.1
29.*
29.1.3-0ubuntu3~24.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "docker.io",
"binary_version": "29.1.3-0ubuntu3~24.04.2"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-33747",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-33748",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8230-1.json"
Ubuntu:26.04 / docker.io-app
Package
- Name
- docker.io-app
- Purl
- pkg:deb/ubuntu/docker.io-app@29.1.3-0ubuntu4.1?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed29.1.3-0ubuntu4.1
Affected versions
28.*
28.2.2-0ubuntu1
29.*
29.1.2-0ubuntu1
29.1.3-0ubuntu1
29.1.3-0ubuntu2
29.1.3-0ubuntu3
29.1.3-0ubuntu4
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "docker.io",
"binary_version": "29.1.3-0ubuntu4.1"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-33747",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-33748",
"severity": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
},
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:26.04"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8230-1.json"