VYPR
High severity7.8NVD Advisory· Published May 28, 2026· Updated Jun 1, 2026

CVE-2026-49237

CVE-2026-49237

Description

An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Canonical/Multipassinferred3 versions
    <1.16.3+ 2 more
    • (no CPE)range: <1.16.3
    • cpe:2.3:a:canonical:multipass:*:*:*:*:*:*:*:*range: <1.16.3
    • (no CPE)range: <1.16.3

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.