CVE-2026-39421

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.0

Description A sandbox escape exists in the ToolExecutor component. An authenticated attacker with workspace privileges can bypass the LD PRELOAD-based sandbox.so module by using the Python ctypes library to execute raw system calls. This allows for arbitrary code execution via direct kernel system calls, which can lead to container compromise and full network exfiltration. The sandbox.so module intercepts standard system functions such as 'execve', 'system', 'connect', and 'open', as well as 'mprotect' to prevent PROT EXEC (executable memory) allocations, but it fails to block 'pkey mprotect'.

Recommendations Update to version 2.8.0.