CVE-2024-23651

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BuildKit versions prior to 0.12.5

Description The issue is related to a race condition that can occur when two malicious build steps run in parallel, sharing the same cache mounts with subpaths. This can lead to files from the host system being accessible to the build container.

Recommendations For versions prior to 0.12.5, update to version 0.12.5 to resolve the issue. As a temporary workaround, consider avoiding the use of BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

AZL-34085

AZL-35005

BDU:2024-01031

CLEANSTART-2026-BK59402

CLEANSTART-2026-BN11148

CLEANSTART-2026-GY69323

CLEANSTART-2026-HI89495

CLEANSTART-2026-HL71566

CLEANSTART-2026-JD48541

CLEANSTART-2026-OS18490

CLEANSTART-2026-SB85645

CLEANSTART-2026-SP51034

CLEANSTART-2026-TD34476

CLEANSTART-2026-XL45869

CLEANSTART-2026-YB44027

CLEANSTART-2026-ZM20570

CVE-2024-23651

GHSA-M3R6-H7WV-7XXV

GO-2024-2493

OPENSUSE-SU-2024:13651-1

OPENSUSE-SU-2024:13689-1

OPENSUSE-SU-2024:14059-1

OPENSUSE-SU-2024_3120-1

OPENSUSE-SU-2025:15589-1

SUSE-SU-2024:0586-1

SUSE-SU-2024:0586-2

SUSE-SU-2024:0587-1

SUSE-SU-2024:1469-1

SUSE-SU-2024:3120-1

SUSE-SU-2024_0586-1

SUSE-SU-2024_0586-2

SUSE-SU-2024_0587-1

SUSE-SU-2024_1469-1

SUSE-SU-2025:03540-1

SUSE-SU-2025:03545-1

SUSE-SU-2025:20056-1

SUSE-SU-2025:20107-1

USN-7474-1

Affected Products

Astra Linux

Buildkit

Linuxmint

Suse

Ubuntu

CVE-2024-23651

Weakness Enumeration

Related Identifiers

Affected Products

References · 421