CVE-2026-49238
Description
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path containment bypass in Multipass's host-side SFTP server allows a guest root user to read arbitrary host files via pipe injection and directory traversal, leading to VM escape.
Vulnerability
The validate_path function in src/sshfs_mount/sftp_server.cpp of Canonical Multipass before version 1.16.3 performs a plain string prefix comparison on requested paths without path separator validation or .. normalization [1]. This allows a path such as /Users//multipass_restrict/../.aws/credentials to pass the check because its first N bytes match the allowed mount prefix. The host-side SFTP server (sshfs_server) runs with root privileges on the host and processes SFTP requests from the guest.
Exploitation
A local attacker with root privileges inside the guest virtual machine can inject raw SFTP frames (e.g., an SSH_FXP_OPEN request) directly into the sshfs_server process's stdin pipe via /proc//fd/0 [1]. By crafting a path that includes directory traversal sequences that match the allowed mount prefix, the attacker bypasses the FUSE layer. The host OS resolves the .. at ::open() time, causing the server to open a file outside the designated mount boundary.
Impact
Successful exploitation allows the guest-side root user to read arbitrary files on the host filesystem with root privileges, resulting in a virtual machine escape [1]. The attack leaves no artifact on the host and can expose sensitive data such as cloud credentials.
Mitigation
The vulnerability is fixed in Multipass version 1.16.3 [1]. Users should upgrade to this version or later. No workaround is documented. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path separator validation and dot-dot normalization in validate_path allows directory traversal to bypass the mount boundary."
Attack vector
A local attacker with root privileges inside the guest VM identifies the host-side `sshfs` process PID via `pgrep` and opens its stdin/stdout pipe file descriptors through `/proc/<pid>/fd/1` and `/proc/<pid>/fd/0` [ref_id=1]. The attacker sends a crafted `SSH_FXP_OPEN` SFTP frame directly into the pipe, bypassing the FUSE layer entirely [ref_id=1]. The path in the request (e.g., `/Users/<user>/multipass_restrict/../.aws/credentials`) passes the `validate_path` prefix check because its first N bytes match the allowed mount prefix, but the OS resolves the `..` traversal at `::open()` time on the host [ref_id=1]. The host-side root process opens the traversed file and returns its contents via `SSH_FXP_DATA`, achieving a virtual machine escape [ref_id=1].
Affected code
The vulnerability resides in `src/sshfs_mount/sftp_server.cpp`, specifically the `validate_path` function at lines 226–232 [ref_id=1]. This function performs a plain string prefix comparison (`current_path.compare(0, source_path.length(), source_path) == 0`) with no path separator validation or dot-dot (`..`) normalization [ref_id=1]. The `sshfs_server` process runs as root on the host and communicates via raw SFTP binary protocol over stdin/stdout pipes [ref_id=1].
What the fix does
The advisory does not include a published patch, but the fix must address two deficiencies in `validate_path` [ref_id=1]. First, the prefix comparison must be augmented with a path separator check to ensure the match ends at a directory boundary, preventing partial-prefix matches. Second, the function must normalize or reject dot-dot (`..`) sequences before the comparison, so that traversal components are not silently resolved by the OS at `::open()` time [ref_id=1]. Without both changes, any path whose prefix matches the mount source path will pass validation regardless of traversal components.
Preconditions
- authAttacker must have root privileges inside the guest VM
- configA host directory must be mounted into the guest VM via multipass mount
- configThe sshfs_server process must be running on the host (default behavior)
- inputAttacker must be able to access /proc/<sshfs_pid>/fd/0 and /proc/<sshfs_pid>/fd/1 from inside the guest
Reproduction
The advisory includes a full Python PoC script [ref_id=1]. On the host, create a directory to share (`mkdir -p ~/multipass_restrict`) and mount it into the VM (`multipass mount ~/multipass_restrict <vm-name>:/home/ubuntu/multipass_restrict`). Inside the guest as root, run the PoC script after updating the hardcoded `/Users/<user>/` paths to match the host username [ref_id=1]. The script finds the sshfs PID via `pgrep`, opens its pipe FDs through procfs, sends a crafted `SSH_FXP_OPEN` with a traversal path, and reads the response containing the host file contents [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.