HarborGuard / CVE
Back to search
HIGHCVE-2026-49238Published Modified CNA canonical

CVE-2026-49238: SFTP Server VM Escape in Canonical Multipass

An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path containment bypass in the SFTP server component (sshfs_server) of Canonical Multipass before 1.16.3 allows a local attacker with root privileges inside a guest virtual machine to escape the VM boundary. The attacker injects raw SFTP frames directly into the host-side root process via procfs, exploiting a missing path separator validation and dot-dot normalization in the validate_path function. Successful exploitation gives the attacker read access to arbitrary files on the host filesystem and the ability to write arbitrary files there as well, constituting a full virtual machine escape. A patched-image rebuild at version 1.16.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-49238 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Canonical Multipass. Any image carrying a Multipass version below 1.16.3 is flagged automatically.

Available
Triage

Triage is available with the full CVSS v3.1 score of 8.4 (HIGH) applied to every matched image, weighted against each customer environment's compliance policy to prioritize findings appropriately. Routed alerts reach the correct team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Multipass version 1.16.3 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host (or in this case, root access inside a guest VM) and does not require over-the-network access to the vulnerable component.

  • AuthenticationRequired

    A low-privilege account (specifically root inside the guest VM) is sufficient; no host-level account is needed, but the attacker must have established privileged access within the guest.

  • Victim interactionNot required

    No action from any other user or administrator is needed; the attacker performs the exploit entirely without victim participation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker has root inside the guest VM, with no race conditions or special memory layout requirements.

Blast Radius

  • Reads arbitrary files on the host filesystem, including credentials, private keys, and configuration files stored outside the VM mount boundary.
  • Writes arbitrary files to the host filesystem, allowing the attacker to plant backdoors, modify system binaries, or alter host configuration.
  • Breaks the isolation boundary between the guest VM and the host OS, exposing all data accessible to the host-side root process running sshfs_server.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49238 is active for all scanned images carrying Canonical Multipass below version 1.16.3, with results appearing within minutes of the CVE entering upstream feeds. For customers who opt into auto-remediation, HarborGuard produces a rebuilt image at version 1.16.3, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can find the flagged image in their HarborGuard dashboard with full CVSS context and a direct reference to the upstream fix. Where compliance policy permits, enabling auto-remediation is the fastest path to closing this VM-escape exposure.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
1.16.3
Affected Products
1

Fix available

1.16.3
Affected packages
  • Canonical / Multipass
    < 1.16.3 (from 0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References