CVE-2026-24905: CVE-2026-24905: Command Injection in Inspektor Gadget Image Builder

#security #cve #cybersecurity

CVE-2026-24905: Command Injection in Inspektor Gadget Image Builder

Vulnerability ID: CVE-2026-24905
CVSS Score: 7.8
Published: 2026-04-22

Inspektor Gadget versions prior to 0.48.1 contain a command injection vulnerability in the ig image build command. The parsing logic for the build.yml manifest file improperly sanitizes the cflags field before passing it to an underlying make process. This allows attackers who control the manifest file to execute arbitrary OS commands within the context of the build environment.

TL;DR

A flaw in Inspektor Gadget's build manifest parser allows command injection via the cflags parameter, leading to arbitrary code execution during the image build process.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-77, CWE-78
Attack Vector: Local / Context-dependent
CVSS v3.1: 7.8
CVSS v4.0: 6.6
EPSS Score: 0.00106
Exploit Status: Proof of Concept
Impact: Arbitrary Command Execution

Affected Systems

Inspektor Gadget
CI/CD build pipelines using Inspektor Gadget
Developer workstations building eBPF gadgets
Inspektor Gadget: < 0.48.1 (Fixed in: 0.48.1)

Code Analysis

Commit: 7c83ad8

Fix command injection by removing cflags

Commit: 2d31374

Implementation of USE_IN_TREE_HEADERS configuration

Mitigation Strategies

Update to patched software version
Restrict execution of builds to trusted manifests
Implement principle of least privilege in CI/CD environments
Isolate build processes in ephemeral containers

Remediation Steps:

Identify all systems and CI/CD pipelines utilizing Inspektor Gadget.
Upgrade the ig binary to version 0.48.1 or newer.
Audit existing build.yml files for the presence of the deprecated cflags field.
Verify that build processes run with the minimum necessary permissions.

References

Read the full report for CVE-2026-24905 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community