diff --git a/pkg/build/sbom.go b/pkg/build/sbom.go
index ca783f6c..45784428 100644
--- a/pkg/build/sbom.go
+++ b/pkg/build/sbom.go
@@ -23,6 +23,7 @@ import (
 	"log/slog"
 	"path/filepath"
 	"sort"
+	"strings"
 	"time"
 
 	osr "github.com/dominodatalab/os-release"
@@ -171,7 +172,18 @@ func readReleaseData(fsys fs.FS) (*osr.Data, error) {
 		return nil, fmt.Errorf("reading os-release: %w", err)
 	}
 
-	return osr.Parse(string(osReleaseData)), nil
+	releaseStr := string(osReleaseData)
+
+	// osr.Parse can panic if given improper input, so error early instead.
+	for _, line := range strings.Split(releaseStr, "\n") {
+		if line != "" {
+			if len(strings.Split(line, "=")) < 2 {
+				return nil, fmt.Errorf("invalid os-release line: %q", line)
+			}
+		}
+	}
+
+	return osr.Parse(releaseStr), nil
 }
 
 func GenerateIndexSBOM(ctx context.Context, o options.Options, ic types.ImageConfiguration, indexDigest name.Digest, imgs map[types.Architecture]oci.SignedImage) ([]types.SBOM, error) {
diff --git a/pkg/build/sbom_test.go b/pkg/build/sbom_test.go
index 0335d83e..22a5ddbe 100644
--- a/pkg/build/sbom_test.go
+++ b/pkg/build/sbom_test.go
@@ -52,3 +52,14 @@ func TestReadReleaseData_EmptyDefaults(t *testing.T) {
 	require.Equal(t, "unknown", info.VersionID)
 	require.Equal(t, "", info.PrettyName)
 }
+
+func TestBadReleaseData(t *testing.T) {
+	osinfoData := `hello, world! this is not a valid os-release file
+`
+	fsys := apkfs.NewMemFS()
+	require.NoError(t, fsys.MkdirAll(filepath.Dir("/etc/os-release"), os.FileMode(0o644)))
+	require.NoError(t, fsys.WriteFile("/etc/os-release", []byte(osinfoData), os.FileMode(0o644)))
+	// Bad data in file should err.
+	_, err := readReleaseData(fsys)
+	require.Error(t, err)
+}