CVE-2026-46695

Name of the Vulnerable Software and Affected Versions Boxlite versions prior to 0.9.0

Description Boxlite is a sandbox service that allows users to create lightweight virtual machines and launch OCI containers to run untrusted code. The software fails to properly enforce read-only mounts for host directories shared via the virtiofs protocol (a host-guest shared filesystem protocol). While Boxlite attempts to implement read-only access by adding the MS RDONLY flag after the VM starts, it does not restrict kernel capabilities within the container. Specifically, the all capabilities() function grants all 41 capabilities, including Capability::SysAdmin (which allows various administrative operations).

Because of this, malicious code running inside the sandbox can execute a remount command to change the directory mode to read-write, bypassing the intended restriction. This allows an attacker to perform arbitrary write operations on host directories. In scenarios such as AI Agents, where credentials, configuration files, and virtual environments are mounted as read-only, an attacker could modify this data to achieve code execution on the host system, potentially introducing supply chain risks.

Technical details include the use of the krun add virtiofs() function, which lacked a read-only parameter, and the VolumeSpec structure where the read only variable was not enforced at the hypervisor level.

Recommendations Upgrade to Boxlite version 0.9.0 or later.