CVE-2026-24905
Published: 29 January 2026
Summary
CVE-2026-24905 is a high-severity Command Injection (CWE-77) vulnerability in Linuxfoundation Inspektor Gadget. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements input validation mechanisms on YAML gadget manifests passed to `ig image build` to prevent command injection from unescaped user-controlled data.
Requires timely flaw remediation by upgrading Inspektor Gadget to version 0.51.1 or later to eliminate the command injection vulnerability.
Enforces least privilege on the `ig` process and build environment to limit the scope and impact of arbitrary commands executed via injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in ig image build directly enables arbitrary Unix shell command execution on the host or build container via unsanitized YAML input to Makefile templates.
NVD Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A…
more
part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.51.1 fixes the issue.
Deeper analysisAI
CVE-2026-24905 is a command injection vulnerability (CWE-77, CWE-78) in Inspektor Gadget, a framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The flaw affects the `ig` binary's image building subcommand, implemented in `inspektor-gadget/cmd/common/image/build.go` and relying on the `Makefile.build` template. User-controlled data from the `buildOptions` structure, extracted from the YAML gadget manifest passed to `ig image build`, is embedded without adequate escaping into Makefile commands. Versions prior to 0.48.1 are vulnerable, with a CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker must control the `build.yml` file or its options supplied to `ig image build`, such as in a CI/CD pipeline verifying untrusted gadgets. Exploitation enables arbitrary command execution on the Linux host running the `ig` command when the `--local` flag is used, or on the build container otherwise.
The vulnerability is addressed in version 0.51.1. Patches are provided in GitHub commits 7c83ad84ff7a68565655253e2cf1c5d2da695c1a and d9bf2fe4a180dad33ce57ca793ff4799ee7b8320, with further details in the security advisory GHSA-79qw-g77v-2vfh.
Details
- CWE(s)