Docker & BuildKit Hit by Multiple High-Severity CVEs, Urgent Update to v29.3.1 Required

Docker and its BuildKit component are under immediate pressure following the disclosure of four high-severity vulnerabilities, with one scoring a critical 8.8 CVSS rating. The security flaws, tracked as CVE-2026-33747, CVE-2026-33748, CVE-2026-33997, and CVE-2026-34040, expose systems to potential exploitation, prompting an urgent directive to update to Docker Engine version 29.3.1 or later and BuildKit to version 0.28.1 or later.

The most critical vulnerability, CVE-2026-34040, carries a CVSS score of 8.8, indicating a severe risk. Another significant flaw, CVE-2026-33747 (CVSS 8.4), specifically targets BuildKit, the toolkit for converting source code to build artifacts. This vulnerability allows a malicious, untrusted BuildKit frontend to craft API messages that write files outside the designated BuildKit state directory. Crucially, exploitation requires using an untrusted frontend image specified via `#syntax` or the `--build-arg BUILDKIT_SYNTAX` option; using the official `docker/dockerfile` frontend is not affected.

These vulnerabilities collectively signal a critical security exposure for the vast container ecosystem reliant on Docker. The mandatory update requirement places immediate operational pressure on development, DevOps, and security teams across global enterprises to patch their container runtime environments. Failure to apply the updates leaves systems vulnerable to attacks that could compromise build pipelines and container integrity, potentially leading to supply chain attacks or unauthorized file system access.