Reported

May 16, 2026

Issued

May 20, 2026

Package

boxlite (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Keywords

#sandbox #container #vm #virtiofs #mount

Aliases

• CVE-2026-46695
• GHSA-g6ww-w5j2-r7x3

References

• https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3
• https://github.com/boxlite-ai/boxlite/pull/454

CVSS Score

10 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Patched

• >=0.9.0

Description

Affected versions of boxlite mount host directories shared via virtiofs as guest-side read-only by setting MS_RDONLY from the guest. Because the default guest capability set included CAP_SYS_ADMIN, untrusted code running inside a sandbox could execute mount -o remount,rw <path> to re-flag the share as read-write and then write through to the host filesystem — fully escaping the read-only contract boxlite advertised to callers.

The fix in v0.9.0 enforces read-only at the hypervisor level via krun_add_virtiofs3 (so the guest's MS_RDONLY is no longer the authoritative gate) and drops CAP_SYS_ADMIN from the default guest capability set (matching Docker's defaults).

This is a sandbox-escape bug: boxlite is a sandboxing runtime, so the read-only invariant is part of its security contract. CVSS rated 10.0 by the upstream advisory.

Advisory available under CC0-1.0 license.