CVE-2026-46703

Affected versions of boxlite extract OCI image layer tarballs without

fully containing path resolution to the extraction root. A crafted layer

containing a symlink whose target is an absolute on-host path (e.g.

escape -> /tmp) followed by a file entry that resolves through that

symlink (e.g. escape/<path>/pwned.txt) caused the extractor to write

the payload to the host filesystem outside the intended rootfs directory.

The fix in v0.9.0 routes every destructive filesystem operation through a

SafeRoot handle (openat2(RESOLVEINROOT) on Linux, lexical fallback

elsewhere) so that no tar entry can resolve outside the extraction root,

even with adversarial symlinks placed by earlier entries in the same

layer.

This is a container-escape during image extraction, exploitable by any

user who pulls or loads a malicious OCI image — including via

SimpleBox(rootfs_path=...) from an untrusted local layout.