CVE-2026-24905
Unknown Unknown - Not Provided
Command Injection in Inspektor Gadget Image Build Allows Arbitrary Execution

Publication date: 2026-01-29

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.51.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-30
Generated
2026-05-07
AI Q&A
2026-01-30
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24905
EUVD
EUVD-2026-4954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation inspektor_gadget to 0.48.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a command injection issue in the Inspektor Gadget tool's image building process. Specifically, the Makefile template used during image building includes user-controlled data without proper escaping. An attacker who can control certain build options in the YAML manifest used by the 'ig image build' command can execute arbitrary commands on the Linux host or build container during the image build. This can happen if untrusted gadget manifests are built, such as in CI/CD pipelines. The issue was fixed in version 0.48.1.


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker to execute arbitrary commands on the Linux host or build container where the image build is performed. This could lead to unauthorized access, data compromise, or disruption of the system running the 'ig' command. The attacker needs to control the build manifest or its options, which might be possible in environments that build untrusted gadgets, such as CI/CD pipelines.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Inspektor Gadget to version 0.48.1 or later, as this version fixes the command injection vulnerability in the image building process. Additionally, avoid building images from untrusted gadget manifests or controlling the build.yml file passed to the `ig image build` command, especially in CI/CD scenarios.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart