CVE-2026-46695
Affected versions of boxlite mount host directories shared via virtiofs
as guest-side read-only by setting MS_RDONLY from the guest. Because the
default guest capability set included CAPSYSADMIN, untrusted code
running inside a sandbox could execute mount -o remount,rw <path> to
re-flag the share as read-write and then write through to the host
filesystem — fully escaping the read-only contract boxlite advertised
to callers.
The fix in v0.9.0 enforces read-only at the hypervisor level via
krunaddvirtiofs3 (so the guest's MS_RDONLY is no longer the
authoritative gate) and drops CAPSYSADMIN from the default guest
capability set (matching Docker's defaults).
This is a sandbox-escape bug: boxlite is a sandboxing runtime, so the
read-only invariant is part of its security contract. CVSS rated 10.0 by
the upstream advisory.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://crates.io/crates/boxlite, https://rustsec.org/advisories/RUSTSEC-2026-0147.html, https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3, https://github.com/boxlite-ai/boxlite/pull/454
Basic Information
