CVE-2026-49237
Description
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incomplete fix for CVE-2025-5199 leaves five auxiliary binaries writable in Multipass for macOS, allowing local privilege escalation via PATH hijacking.
Vulnerability
An incomplete fix for CVE-2025-5199 in Canonical Multipass for macOS before version 1.16.3 leaves five auxiliary binaries writable by the installing user. The patch in version 1.16.0 changed ownership of the multipassd daemon binary to root:wheel, but the co-located binaries multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server in /Library/Application Support/com.canonical.multipass/bin/ retain user ownership (:staff) and remain writable. The root LaunchDaemon (com.canonical.multipassd.plist) sets a PATH environment variable that prioritizes this user-writable directory and invokes these binaries by their bare names [1].
Exploitation
A local attacker with write access to the directory (typically the user who installed Multipass or any member of the staff group) can replace an auxiliary binary, such as qemu-img, with a malicious wrapper. The wrapper passes all original arguments through to the real binary, so the operation completes normally. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges [1].
Impact
Successful exploitation allows a local attacker to execute arbitrary code with root privileges, leading to full system compromise. This is a local privilege escalation vulnerability [1].
Mitigation
The vulnerability is fixed in Multipass version 1.16.3, released on 2026-05-28. Users should upgrade to this version or later. No workarounds are documented [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incomplete fix for CVE-2025-5199: five auxiliary binaries in the Multipass installation directory retain user ownership and remain writable, enabling PATH hijacking by a local attacker."
Attack vector
A local attacker who installed Multipass replaces a user-writable auxiliary binary (e.g., `qemu-img`) in `/Library/Application Support/com.canonical.multipass/bin/` with a malicious wrapper [ref_id=1]. The root LaunchDaemon (`com.canonical.multipassd.plist`) sets a `PATH` that lists this directory first, and `multipassd` invokes the binary by bare name at runtime [ref_id=1]. When the attacker triggers execution (e.g., via `multipass launch`), the root daemon resolves the malicious wrapper and executes it with root privileges [ref_id=1]. No password, user interaction, or network access is required beyond triggering a VM launch [ref_id=1].
Affected code
The vulnerability resides in five binaries co-located in `/Library/Application Support/com.canonical.multipass/bin/`: `multipass`, `qemu-img`, `qemu-system-aarch64`, `qemu-system-x86_64`, and `sshfs_server`. Unlike `multipassd` (which was fixed to `root:wheel`), these retain ownership by the installing user (`<user>:staff`) and remain writable [ref_id=1]. The root LaunchDaemon plist sets a `PATH` that prioritizes this user-writable directory and invokes these binaries by bare name [ref_id=1].
What the fix does
The advisory states that the fix shipped in version 1.16.3 addresses the incomplete remediation of CVE-2025-5199 [ref_id=1]. While the earlier patch (1.16.0) only changed ownership of `multipassd` to `root:wheel`, the complete fix must extend the same ownership change to all five co-located binaries (`multipass`, `qemu-img`, `qemu-system-aarch64`, `qemu-system-x86_64`, and `sshfs_server`) so they are no longer writable by the installing user [ref_id=1]. No patch diff is provided in the advisory; the remediation guidance is to ensure all binaries in the directory are owned by `root:wheel` [ref_id=1].
Preconditions
- configMultipass 1.16.1 or 1.16.2 installed on macOS by a standard (non-root) user
- authAttacker must be the same local user who installed Multipass (or have write access to the affected directory)
- inputUbuntu image cached locally (from a prior multipass launch) so the trigger completes without download
- authNo elevated privileges required before execution
Reproduction
The advisory includes a full PoC script [ref_id=1]. The attacker backs up the real `qemu-img` binary, replaces it with a malicious shell wrapper that writes a passwordless sudoers entry, then runs `multipass launch` to trigger the root daemon's invocation of the wrapper. After the payload executes, the script restores the original binary and cleans up the trigger VM [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.