CVE-2026-49237: Multipass macOS Privilege Escalation via Unprotected Auxiliary Binaries
Canonical Multipass for macOS has a privilege escalation vulnerability where auxiliary binaries remain under user control despite a previous patch attempt. An attacker with local access can replace one of these binaries with malicious code, which then executes as root when the Multipass daemon runs routine operations. This bypasses the partial fix from version 1.16.0 that only secured the main daemon binary.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-276
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49237 stems from incomplete remediation of CVE-2025-5199 in Multipass prior to version 1.16.3. While the earlier patch changed multipassd ownership to root:wheel, five auxiliary binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ remain owned by the installing user and world-writable. The root LaunchDaemon (com.canonical.multipassd.plist) configures PATH to prioritize this user-controlled directory and invokes these binaries by bare name rather than full path. An unprivileged local user can therefore perform a binary hijacking attack: replace a utility binary with a wrapper, wait for daemon invocation (triggered during operations like 'multipass launch'), and gain code execution as root.
Business impact
Multipass users on affected macOS systems face local privilege escalation risk. Any user with shell access to the machine can escalate to root, enabling complete system compromise, data theft, malware installation, and lateral movement. Organizations deploying Multipass for development, testing, or VM management should treat this as a critical local security boundary violation. The vulnerability does not require network access or user interaction—only local machine access.
Affected systems
Canonical Multipass for macOS versions before 1.16.3 are affected. The vulnerability is platform-specific to macOS due to LaunchDaemon PATH configuration. macOS systems with Multipass installed via the official installer are at risk. Verify your installed version via 'multipass version' command. Users running version 1.16.3 or later are not affected.
Exploitability
Exploitability is straightforward for local attackers. The attack requires no special privileges beyond local login or shell access, no user interaction, and minimal complexity—replacing a file in a known, predictable location. The PATH hijacking is deterministic; any auxiliary binary invocation by the daemon triggers the malicious code. No authentication bypass or race conditions are needed. This is classified as HIGH severity (CVSS 7.8) with low attack complexity due to the direct path from local access to root code execution.
Remediation
Update Canonical Multipass to version 1.16.3 or later as soon as possible. This version corrects the ownership and permissions of all auxiliary binaries to prevent user modification. Administrators should verify the fix by confirming that all binaries in /Library/Application Support/com.canonical.multipass/bin/ are owned by root and non-writable by unprivileged users post-upgrade.
Patch guidance
Download and install Multipass 1.16.3 or later from Canonical's official repository or website. On macOS, uninstall the current version and perform a fresh installation, or use the auto-update mechanism if enabled. After upgrade, verify ownership and permissions: 'ls -la /Library/Application\ Support/com.canonical.multipass/bin/' should show root ownership and restrictive permissions (e.g., 0755). Test core Multipass operations (launch, stop, delete instances) to confirm functionality post-patch.
Detection guidance
Monitor file system changes in /Library/Application Support/com.canonical.multipass/bin/ for unauthorized modifications or permission changes to auxiliary binaries. Alert on any user-initiated writes to this directory. Check current file ownership and permissions against the expected root:wheel ownership with restricted write access. Audit running processes to detect binaries in this directory executing with unexpected parent processes or user contexts. Query system logs for unusual multipassd or auxiliary binary invocations.
Why prioritize this
This vulnerability merits immediate priority despite no KEV listing. The incomplete prior fix demonstrates supply chain execution complexity; users who patched for CVE-2025-5199 may believe themselves protected but remain exposed. The attack surface is trivial for any local user, and the impact is root compromise. Development and testing teams relying on Multipass should treat this as critical. The ease of exploitation and severity of impact justify rapid patching.
Risk score, explained
CVSS 7.8 (HIGH) reflects local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), and high impact to confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of local privilege escalation to root on a development tool. Organizations with strict local access controls may see reduced real-world risk, but the theoretical exploitability remains high for any system where local users have shell access.
Frequently asked questions
If I'm running Multipass 1.16.0 or 1.16.1, am I protected from the CVE-2025-5199 fix?
No. Those versions patched only the multipassd daemon binary itself but left auxiliary binaries writable. This vulnerability (CVE-2026-49237) bypasses that partial fix. You must upgrade to 1.16.3 or later for complete remediation.
Do I need network access to exploit this vulnerability?
No. The vulnerability requires only local machine access. An attacker with shell access or login capability can perform the attack. Network isolation does not mitigate this risk.
How do I verify my Multipass version and check if I'm affected?
Run 'multipass version' to check your installed version. If it is earlier than 1.16.3, you are affected. After upgrading, verify the fix by checking file ownership: 'ls -la /Library/Application\ Support/com.canonical.multipass/bin/' should show root:wheel ownership with no user-writable permissions.
Will updating Multipass break my existing instances or configurations?
Version 1.16.3 is a maintenance release addressing security. Existing instances and configurations should persist and function normally. Perform the upgrade during a maintenance window and test core operations post-upgrade to confirm compatibility in your environment.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. Patch versions, affected product versions, and remediation guidance should be verified against official vendor advisories and release notes. Security impact may vary based on organizational deployment, access controls, and configuration. Testing in a controlled environment is strongly recommended before deploying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49157HIGHApache ActiveMQ Jolokia Authorization Bypass Allows Privilege Escalation
- CVE-2026-48190LOWOTRS Permission Bypass – CMDB CI Data Disclosure
- CVE-2026-48191LOWOTRS STORM Metadata Disclosure via Incorrect Permissions
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution