diff --git a/integration/build/build_test.go b/integration/build/build_test.go
index 2a87204113..3f7b1dcf34 100644
--- a/integration/build/build_test.go
+++ b/integration/build/build_test.go
@@ -244,6 +244,75 @@ RUN cat somefile`
 	assert.Contains(t, image.Config.Env, "bar=baz")
 }
 
+// #35403 #36122
+func TestBuildUncleanTarFilenames(t *testing.T) {
+	ctx := context.TODO()
+	defer setupTest(t)()
+
+	dockerfile := `FROM scratch
+COPY foo /
+FROM scratch
+COPY bar /`
+
+	buf := bytes.NewBuffer(nil)
+	w := tar.NewWriter(buf)
+	writeTarRecord(t, w, "Dockerfile", dockerfile)
+	writeTarRecord(t, w, "../foo", "foocontents0")
+	writeTarRecord(t, w, "/bar", "barcontents0")
+	err := w.Close()
+	require.NoError(t, err)
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		buf,
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out := bytes.NewBuffer(nil)
+	require.NoError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	require.NoError(t, err)
+
+	// repeat with changed data should not cause cache hits
+
+	buf = bytes.NewBuffer(nil)
+	w = tar.NewWriter(buf)
+	writeTarRecord(t, w, "Dockerfile", dockerfile)
+	writeTarRecord(t, w, "../foo", "foocontents1")
+	writeTarRecord(t, w, "/bar", "barcontents1")
+	err = w.Close()
+	require.NoError(t, err)
+
+	resp, err = apiclient.ImageBuild(ctx,
+		buf,
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out = bytes.NewBuffer(nil)
+	require.NoError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	require.NoError(t, err)
+	require.NotContains(t, out.String(), "Using cache")
+}
+
+func writeTarRecord(t *testing.T, w *tar.Writer, fn, contents string) {
+	err := w.WriteHeader(&tar.Header{
+		Name:     fn,
+		Mode:     0600,
+		Size:     int64(len(contents)),
+		Typeflag: '0',
+	})
+	require.NoError(t, err)
+	_, err = w.Write([]byte(contents))
+	require.NoError(t, err)
+}
+
 type buildLine struct {
 	Stream string
 	Aux    struct {
diff --git a/pkg/tarsum/tarsum.go b/pkg/tarsum/tarsum.go
index 6ad152a2ed..8c8478a455 100644
--- a/pkg/tarsum/tarsum.go
+++ b/pkg/tarsum/tarsum.go
@@ -236,7 +236,7 @@ func (ts *tarSum) Read(buf []byte) (int, error) {
 				}
 				return n, err
 			}
-			ts.currentFile = path.Clean(currentHeader.Name)
+			ts.currentFile = path.Join(".", path.Join("/", currentHeader.Name))
 			if err := ts.encodeHeader(currentHeader); err != nil {
 				return 0, err
 			}