CVE-2026-46695

Published: Jun 10, 2026Modified: Jun 11, 2026Deferred

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.8

Source: security-advisories@github.com (Secondary)

Description

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/boxlite-ai/boxlite/pull/454

Source: security-advisories@github.com

https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0

Source: security-advisories@github.com

https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3

Source: security-advisories@github.com

https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.