CVE-2026-24905: Command Injection in Inspektor Gadget Image Builder

Inspektor Gadget is a system inspection framework for Linux and Kubernetes that utilizes eBPF programs. The framework includes a command-line utility, ig, which provides functionalities for building and packaging custom eBPF programs into OCI images. The ig image build subcommand processes user-supplied configuration through a YAML manifest file named build.yml.

CVE-2026-24905 is a command injection vulnerability located in the parsing and execution logic of this build process. The vulnerability arises because user-controlled input from the manifest is passed directly into a shell execution context without adequate sanitization. Specifically, the cflags field within the build.yml file is vulnerable to OS command injection (CWE-78).

The vulnerability carries a CVSS 3.1 score of 7.8, reflecting a high-severity local attack vector. Exploitation requires the attacker to supply a malicious build.yml file to the ig image build command. Successful exploitation grants the attacker arbitrary command execution privileges within the context of the build process.

The root cause of CVE-2026-24905 lies in the interaction between the Go-based CLI and the underlying make build system. When a developer invokes ig image build, the binary reads the build.yml manifest to configure the eBPF compilation process. The vulnerable code in cmd/common/image/build.go extracts the cflags value and appends it to a command arguments array.

This arguments array constructs a make command invocation. The cflags string is passed verbatim as a variable override in the format CFLAGS=.... The make utility then processes the Makefile.build template to compile the eBPF source code.

Within Makefile.build, the CFLAGS variable is expanded inside a compilation recipe. Because make executes recipes by passing the entire evaluated command string to a system shell, any shell metacharacters included in the CFLAGS variable are interpreted by the shell. The application fails to neutralize these special elements, resulting in a classic command injection condition.

The vulnerable implementation in inspektor-gadget/cmd/common/image/build.go explicitly passed the unsanitized cflags value to the build command. The buildCmd function constructed the execution arguments by directly concatenating the user input with the CFLAGS= prefix.

// Vulnerable implementation in build.go
func buildCmd(options buildOptions) []string {
    cmd := []string{
        "make", "-f", filepath.Join(options.outputDir, "Makefile.build"),
        "-j", fmt.Sprintf("%d", runtime.NumCPU()),
        "OUTPUTDIR=" + options.outputDir,
        "CFLAGS=" + options.cFlags, // Input directly appended
        "FORCE_COLORS=" + options.forceColorsFlag,
    }
    return cmd
}

The make process then utilized this variable in the Makefile.build compilation step. The variable expansion occurred directly within the shell command that invoked the Clang compiler.

# Vulnerable Makefile.build recipe
$(OUTPUTDIR)/%.bpf.o: $(EBPFSOURCE)
	$(CLANG) $(BASECFLAGS) $(subst @ARCH@,$*,$(CFLAGS)) -D __TARGET_ARCH_...

The patch resolves this by completely removing the cflags field from the manifest parser. Instead of allowing arbitrary compiler flags, the developers introduced a boolean flag named USE_IN_TREE_HEADERS. The CFLAGS variable was replaced by an internally populated INCLUDEFLAGS variable in the Makefile, eliminating the injection vector.

Exploiting this vulnerability requires the attacker to inject shell metacharacters into the cflags field of the build.yml manifest. An attacker must have the ability to supply this file to a system running the ig image build command. This scenario frequently occurs in CI/CD pipelines or shared build environments where automated systems compile repository code.

The following proof-of-concept demonstrates the injection technique. The payload uses semicolons to terminate the preceding command and initiate a new one.

ebpfsource: "program.bpf.c"
metadata: "gadget.yaml"
cflags: "; touch /tmp/pwned ;"

When the ig utility processes this file, the resulting shell command executed by make expands to include the injected payload. The shell evaluates clang ... ; touch /tmp/pwned ; -D __TARGET_ARCH_..., executing the attacker's command before attempting to evaluate the remainder of the original compilation string.

Successful exploitation yields arbitrary command execution within the context of the user or service account running the ig image build command. If the build process runs in an isolated container, the execution is constrained to that container environment. If the build runs directly on a developer workstation or build server, the attacker gains host-level access.

In a CI/CD environment, this access provides a pathway for lateral movement or credential theft. The attacker can extract environment variables, access build secrets, or tamper with the resulting OCI image artifact. This tampering facilitates supply chain attacks by embedding malicious code into the compiled eBPF gadget.

While the primary cflags injection vector is patched, structural risks remain in the codebase. Other fields such as ebpfsource and wasm are still passed as variables to the make process. If these fields are not rigorously validated for path safety and shell metacharacters by the ig binary, they represent theoretical secondary injection vectors.

The definitive remediation for CVE-2026-24905 is upgrading Inspektor Gadget to version 0.48.1 or later. This release removes the vulnerable code paths and transitions to a safer boolean-based configuration for include headers.

If immediate patching is not feasible, administrators must ensure that the ig image build command is only executed against trusted build.yml manifests. Organizations should prohibit the automated building of gadgets from untrusted external sources or community repositories until the software is updated.

Security teams should also review CI/CD pipeline configurations to enforce principle-of-least-privilege. Build environments should operate in isolated, ephemeral containers with restricted network access. This defense-in-depth approach limits the impact if an attacker successfully triggers the vulnerability or discovers a variant injection path.