PT-2026-44375 · Canonical · Multipass

Espreto

·

Published

2026-05-28

·

Updated

2026-06-23

·

CVE-2026-49237

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Canonical Multipass for macOS versions prior to 1.16.3
Description An incomplete fix for a previous issue allows a local attacker to achieve local privilege escalation. Five binaries located in /Library/Application Support/com.canonical.multipass/bin/ (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86 64, and sshfs server) remain writable by the installing user. The root LaunchDaemon com.canonical.multipassd.plist configures a PATH environment variable that prioritizes this directory and invokes these binaries by their bare names. A local attacker can replace one of these auxiliary binaries with a malicious wrapper, which is then executed with root privileges when triggered by the root daemon during routine operations, such as during a multipass launch command.
Recommendations Update to version 1.16.3 or later.

Exploit

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49237
GHSA-R2XG-X32F-23C5

Affected Products

Multipass