Security update for docker-stable
This security update for docker-stable addresses four vulnerabilities affecting the BuildKit component and plugin privilege validation. The issues include the ability for malicious frontends to write files outside the BuildKit state directory, insufficient validation of Git URL fragments allowing access to files outside the checked-out repository, privilege validation bypass during plugin operations, and an authorization regression related to zero-length checks. These vulnerabilities are rated high severity by the SUSE Product Security Team.
AI Analysis
Technical Summary
The update fixes four vulnerabilities in docker-stable related to the BuildKit component and plugin privilege validation. CVE-2026-33747 allows malicious frontends to craft API messages that cause files to be written outside the BuildKit state directory. CVE-2026-33748 involves insufficient validation of Git URL fragment subdirectory components, potentially allowing access to files outside the checked-out Git repository. CVE-2026-33997 addresses a privilege validation bypass during plugin operations. CVE-2026-34040 fixes an authorization regression involving zero-length checks. These issues could lead to unauthorized file writes and privilege escalation within the affected docker-stable environment.
Potential Impact
Successful exploitation of these vulnerabilities could allow attackers to write files outside intended directories, access unauthorized files in Git repositories, bypass privilege checks during plugin operations, and exploit authorization regressions. This could lead to unauthorized code execution, privilege escalation, or unauthorized access to sensitive files within the docker-stable environment.
Mitigation Recommendations
A security update for docker-stable has been released by the SUSE Product Security Team addressing these vulnerabilities. Users should apply the official update SUSE-SU-2026:2578-1 to remediate these issues. Patch status is confirmed by the vendor advisory. No additional mitigation steps are specified beyond applying the update.
Security update for docker-stable
Description
This security update for docker-stable addresses four vulnerabilities affecting the BuildKit component and plugin privilege validation. The issues include the ability for malicious frontends to write files outside the BuildKit state directory, insufficient validation of Git URL fragments allowing access to files outside the checked-out repository, privilege validation bypass during plugin operations, and an authorization regression related to zero-length checks. These vulnerabilities are rated high severity by the SUSE Product Security Team.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The update fixes four vulnerabilities in docker-stable related to the BuildKit component and plugin privilege validation. CVE-2026-33747 allows malicious frontends to craft API messages that cause files to be written outside the BuildKit state directory. CVE-2026-33748 involves insufficient validation of Git URL fragment subdirectory components, potentially allowing access to files outside the checked-out Git repository. CVE-2026-33997 addresses a privilege validation bypass during plugin operations. CVE-2026-34040 fixes an authorization regression involving zero-length checks. These issues could lead to unauthorized file writes and privilege escalation within the affected docker-stable environment.
Potential Impact
Successful exploitation of these vulnerabilities could allow attackers to write files outside intended directories, access unauthorized files in Git repositories, bypass privilege checks during plugin operations, and exploit authorization regressions. This could lead to unauthorized code execution, privilege escalation, or unauthorized access to sensitive files within the docker-stable environment.
Mitigation Recommendations
A security update for docker-stable has been released by the SUSE Product Security Team addressing these vulnerabilities. Users should apply the official update SUSE-SU-2026:2578-1 to remediate these issues. Patch status is confirmed by the vendor advisory. No additional mitigation steps are specified beyond applying the update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- SUSE Product Security Team
- Advisory Id
- SUSE-SU-2026:2578-1
- Cve Count
- 4
- Additional Cves
- ["CVE-2026-33748","CVE-2026-33997","CVE-2026-34040"]
- Cvss Version
- null
Threat ID: 6a3c0d28eed863c81e23f2f1
Added to database: 06/24/2026, 17:00:24 UTC
Last enriched: 06/24/2026, 17:22:43 UTC
Last updated: 06/24/2026, 19:01:39 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.