CVE-2026-46695

Description

Affected versions of `boxlite` mount host directories shared via virtiofs as guest-side read-only by setting `MS_RDONLY` from the guest. Because the default guest capability set included `CAP_SYS_ADMIN`, untrusted code running inside a sandbox could execute `mount -o remount,rw <path>` to re-flag the share as read-write and then write through to the host filesystem — fully escaping the read-only contract `boxlite` advertised to callers. The fix in v0.9.0 enforces read-only at the hypervisor level via `krun_add_virtiofs3` (so the guest's `MS_RDONLY` is no longer the authoritative gate) and drops `CAP_SYS_ADMIN` from the default guest capability set (matching Docker's defaults). This is a sandbox-escape bug: `boxlite` is a sandboxing runtime, so the read-only invariant is part of its security contract. CVSS rated 10.0 by the upstream advisory.

Affected packages (6)

• crates.io/boxlitefrom 0, < 0.9.0
• crates.io/boxlite>= 0.0.0-0, < 0.9.0
• crates.io/boxlite-clifrom 0, < 0.9.0
• Go/github.com/boxlite-ai/boxlite/sdks/gofrom 0, < 0.9.0
• npm/@boxlite-ai/boxlitefrom 0, < 0.9.0
• PyPI/boxlitefrom 0, < 0.9.0

CVSS scores

References (5)

• PATCHhttps://crates.io/crates/boxlite
• PATCHhttps://github.com/boxlite-ai/boxlite
• WEBhttps://github.com/boxlite-ai/boxlite/pull/454
• WEBhttps://github.com/boxlite-ai/boxlite/security/advisories/GHSA-g6ww-w5j2-r7x3
• WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0147.html