VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 22, 2026

Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive

CVE-2026-44517

Description

Impact

When processing a build contexts or add/copy instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.

Patches

Fixed in Buildah 1.44 and 1.43.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/containers/buildahGo
>= 1.38.1, < 1.43.21.43.2

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Improper limitation of pathnames when processing Git repositories or tar archives allows path traversal outside the build context directory."

Attack vector

An attacker controls a Git repository or tar archive server that Buildah pulls from during a build. By crafting repository contents or archive entries with path traversal elements (e.g., `../` sequences), the attacker can cause Buildah to include files outside the designated build context directory [CWE-22]. This allows arbitrary files from the host filesystem to be incorporated into the container image during the build process.

Affected code

The vulnerability affects how Buildah processes build contexts and `add`/`copy` instructions. When a malicious server serves a Git repository or a tar archive file, path traversal can occur, causing files outside the intended build context directory to be included in the build context or copied into the build.

What the fix does

The advisory states the fix is included in Buildah 1.44 and 1.43.2. The patch does not show the specific code changes, but the fix addresses the improper limitation of pathnames when processing Git repositories and tar archives, ensuring that path traversal sequences are neutralized so that files outside the build context directory cannot be accessed.

Preconditions

  • configBuildah must be configured to pull from a Git repository or tar archive served by an attacker-controlled server.
  • networkThe attacker must be able to serve a malicious Git repository or tar archive that Buildah will process as a build context or via add/copy instructions.

Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.