CVE-2026-24905
📋 TL;DR
CVE-2026-24905 is a command injection vulnerability in Inspektor Gadget's image building functionality. An attacker who can control the YAML gadget manifest passed to the 'ig image build' command can execute arbitrary commands on the Linux host or build container. This primarily affects CI/CD pipelines that build untrusted gadgets for verification.
💻 Affected Systems
- Inspektor Gadget
📦 What is this software?
Inspektor Gadget by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Linux host where 'ig' is executed, allowing attacker to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Compromise of the build container with limited impact, potentially leading to supply chain attacks or credential theft.
If Mitigated
No impact if building only trusted gadgets with proper input validation and sandboxing.
🎯 Exploit Status
Exploitation requires control over the build.yml file or its options, typically through CI/CD pipeline manipulation or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.48.1
Vendor Advisory: https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-79qw-g77v-2vfh
Restart Required: No
Instructions:
1. Update Inspektor Gadget to version 0.48.1 or later. 2. For containerized deployments, rebuild images with the updated version. 3. Verify the fix by checking the version with 'ig version'.
🔧 Temporary Workarounds
Restrict Build Input
linuxOnly build gadgets from trusted, verified YAML manifests. Do not process untrusted gadget definitions.
Isolate Build Environment
linuxRun 'ig image build' in isolated containers or sandboxes with minimal privileges.
docker run --rm -v $(pwd):/work -w /work inspektor-gadget/ig:latest image build gadget.yml
🧯 If You Can't Patch
- Disable 'ig image build' functionality entirely if not required
- Implement strict input validation and sanitization for YAML manifests before processing
🔍 How to Verify
Check if Vulnerable:
Check if using Inspektor Gadget version < 0.48.1 and if 'ig image build' is used with potentially untrusted YAML files.Check Version:
ig versionVerify Fix Applied:
Run 'ig version' and confirm version is 0.48.1 or higher. Test building a gadget with controlled input to ensure command injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual commands in build process logs
- Unexpected processes spawned during gadget builds
- Failed build attempts with suspicious parameters
Network Indicators:
- Unexpected outbound connections from build containers during image creation
SIEM Query:
source="ig" AND "image build" AND (process_name NOT IN expected_build_processes OR command_line CONTAINS suspicious_patterns)