Deep within Buildkit there is access to the privileged GRPC API that could be abused to break out of a container during build-time.

This one is kinda cool because its relatively simple, generally speaking the only users of the GRPC API are privileged users through tools like the docker cli.In that context it kinda makes sense the the Container.Start command lacks any contextual authorization checking. However it turns out Dockerfiles have support for using a custom syntax via a # syntax=<path to docker image> line. This line will run the specified docker image and have that image process the Dockerfile, and send the intermediate representation of the Dockerfile over the GRPC API as such this docker image is given access to the api, and can reach other unexpected commands like the previously mentioned Container.Start command. This means the dockerfile custom syntax parser could start up an arbitrary container with any settings, including marking it as privileged (aka running as root on the host).