CVE-2026-24905: Inspektor Gadget: Command Injection via malicious buildOptions manipulation

April 22, 2026 (updated April 30, 2026)

The ig binary provides a subcommand for image building, used to generate custom gadget OCI images.

A part of this functionality is implemented in the file inspektor-gadget/cmd/common/image/build.go.

The following is the code responsible to construct the build command:

func buildCmd(options buildOptions) []string {
cmd := []string{
"make", "-f", filepath.Join(options.outputDir, "Makefile.build"),
"-j", fmt.Sprintf("%d", runtime.NumCPU()),
"OUTPUTDIR=" + options.outputDir,
"CFLAGS=" + options.cFlags,
"FORCE_COLORS=" + options.forceColorsFlag,
}

if options.ebpfSourcePath != "" {
cmd = append(cmd, "EBPFSOURCE="+options.ebpfSourcePath, "ebpf")
}
if options.wasmSourcePath != "" {
cmd = append(cmd, "WASM="+options.wasmSourcePath, "wasm")
}
if options.btfgen {
cmd = append(cmd, "BTFHUB_ARCHIVE="+options.btfHubArchivePath, "btfgen")
}

return cmd
}

The Makefile.build file is the Makefile template employed during the building process.

This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile.

This implementation is vulnerable to command injection: an attacker able to control values in the buildOptions structure would be able to execute arbitrary commands during the building process.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-24905 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →