HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46695Published Modified CNA GitHub_M

CVE-2026-46695: BoxLite: Permission Bypass in boxlite Allows Modification of Read-Only Files

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A permission bypass in BoxLite, the sandbox service for running untrusted code inside lightweight virtual machines and OCI containers, allows malicious container code to remount read-only directories in read-write mode. The vulnerability is reachable over the network with no authentication required and no user interaction needed, as derived from the CVSS vector. Successful exploitation gives an attacker arbitrary write access to directories that should be read-only, enabling tampering with persisted files across the sandbox boundary. HarborGuard tracks the advisory for patch availability, as no fix version has been published upstream at this time.

HarborGuard Coverage

Detection

Detection for CVE-2026-46695 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from boxlite-ai/boxlite. Any image running a vulnerable version of BoxLite (below 0.9.0) will surface in scan results immediately.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls are available through HarborGuard policy enforcement, including network-policy isolation for workloads running BoxLite and capability-drop rules to reduce the kernel surface exposed inside containers.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service is exposed over the network, meaning an attacker can reach it without requiring local or physical access.

  • AuthenticationNot required

    No credentials or account of any kind are needed to trigger the vulnerability.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or operator.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental factors required to succeed.

Blast Radius

  • An attacker can write arbitrary data to directories mounted as read-only inside the BoxLite sandbox, bypassing the intended isolation boundary.
  • Malicious container code can tamper with configuration files, binaries, or other persisted content that the sandbox was designed to protect from modification.
  • Because the scope is changed (S:C in the CVSS vector), the impact extends beyond the container itself and can affect the underlying host or adjacent resources sharing the same volume mounts.
  • Confidentiality of stored data is also compromised, as the same remount capability that enables writes also grants read access to previously restricted directory contents.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all images in customer registries and CI pipelines that include boxlite-ai/boxlite at a version below 0.9.0. Because no upstream patch has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available, with auto-remediation customers receiving a rebuild, regression-test run, and a PR opened against affected workloads, as soon as the upstream fix is released. While awaiting the patch, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which workloads can reach BoxLite instances, egress filtering to limit what untrusted container code can contact, and capability-drop enforcement (for example, dropping CAP_SYS_ADMIN and related kernel capabilities) to close the remount vector at the host level. These controls are configurable per environment and do not require waiting for an upstream release.

See how HarborGuard automates this
Affected packages
  • boxlite-ai / boxlite
    < 0.9.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
References