Reported

May 16, 2026

Issued

May 20, 2026

Package

boxlite (crates.io)

Type

Vulnerability

Categories

• privilege-escalation
• file-disclosure

Keywords

#sandbox #container #oci #tar #symlink #path-traversal

Aliases

• CVE-2026-46703
• GHSA-f396-4rp4-7v2j

References

• https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j
• https://github.com/boxlite-ai/boxlite/pull/429
• https://github.com/boxlite-ai/boxlite/pull/446
• https://github.com/boxlite-ai/boxlite/pull/461

CVSS Score

10 CRITICAL

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality Impact

High

Integrity Impact

High

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Patched

• >=0.9.0

Description

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path (e.g. escape -> /tmp) followed by a file entry that resolves through that symlink (e.g. escape/<path>/pwned.txt) caused the extractor to write the payload to the host filesystem outside the intended rootfs directory.

The fix in v0.9.0 routes every destructive filesystem operation through a SafeRoot handle (openat2(RESOLVE_IN_ROOT) on Linux, lexical fallback elsewhere) so that no tar entry can resolve outside the extraction root, even with adversarial symlinks placed by earlier entries in the same layer.

This is a container-escape during image extraction, exploitable by any user who pulls or loads a malicious OCI image — including via SimpleBox(rootfs_path=...) from an untrusted local layout.

Advisory available under CC0-1.0 license.