PT-2026-44375 · Canonical · Multipass
Espreto
·
Published
2026-05-28
·
Updated
2026-06-23
·
CVE-2026-49237
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Canonical Multipass for macOS versions prior to 1.16.3
Description
An incomplete fix for a previous issue allows a local attacker to achieve local privilege escalation. Five binaries located in
/Library/Application Support/com.canonical.multipass/bin/ (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86 64, and sshfs server) remain writable by the installing user. The root LaunchDaemon com.canonical.multipassd.plist configures a PATH environment variable that prioritizes this directory and invokes these binaries by their bare names. A local attacker can replace one of these auxiliary binaries with a malicious wrapper, which is then executed with root privileges when triggered by the root daemon during routine operations, such as during a multipass launch command.Recommendations
Update to version 1.16.3 or later.
Exploit
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Multipass