Directory Traversal Affecting buildah package, versions <1.44.0-r0


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.5% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-BUILDAH-17036457
  • published28 May 2026
  • disclosed27 Mar 2026

Introduced: 27 Mar 2026

CVE-2026-33747  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Chainguard buildah to version 1.44.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream buildah package and not the buildah package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.

CVSS Base Scores

version 3.1