CVE-2026-47213

Name of the Vulnerable Software and Affected Versions Boxlite versions 0.8.2 and earlier

Description Boxlite is a sandbox service that enables the creation of lightweight virtual machines to run untrusted code within OCI containers. The service allows users to configure a timeout for processes running inside these virtual machines. When a timeout is reached, the system is intended to terminate the process. However, the implementation uses the SIGALRM signal instead of the uncatchable SIGKILL signal. Because SIGALRM can be caught or ignored by the process, malicious code can bypass the timeout restriction and continue executing. This can lead to resource exhaustion within the virtual machine and impact the overall availability of the service. The issue is located in the start timeout watcher() function within the guest/src/service/exec/timeout.rs file, where the timeout ms variable triggers the delivery of the incorrect signal.

Recommendations Update Boxlite to a version that incorporates commit 28159fc to ensure the SIGKILL signal is used for process termination upon timeout.