HIGH 8.4

CVE-2026-49238: Canonical Multipass Path Traversal VM Escape Vulnerability

Canonical Multipass before version 1.16.3 contains a path validation flaw that allows a user with root access inside a guest virtual machine to escape the sandbox and read files on the host system. The vulnerability exists in the SFTP server component that bridges file sharing between the guest and host. An attacker can craft specially formatted file access requests containing path traversal sequences that bypass the intended directory boundaries, giving them access to sensitive files on the host machine with the privileges of the root process managing the file share.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49238 is a path containment bypass in Multipass's sshfs_server component (src/sshfs_mount/sftp_server.cpp). The validate_path function performs simple string prefix matching without normalizing path separators or resolving directory traversal sequences (.. notation). A guest-side attacker with root privileges can inject raw SFTP protocol frames (SSH_FXP_OPEN requests) directly into the sshfs_server process via procfs pipes, circumventing FUSE layer enforcement. By supplying paths that contain directory traversal sequences matching the allowed mount prefix, the attacker forces the host-side root process to resolve and open files outside the designated mount point, achieving arbitrary file read on the host filesystem.

Business impact

This vulnerability enables virtual machine escape with read access to host data. Organizations relying on Multipass for isolated guest environments face confidentiality loss if users with guest root access are compromised or malicious. Sensitive configuration files, credentials, application data, and intellectual property on the host become accessible to attackers inside the VM. The impact is heightened because the sshfs_server runs with host root privileges, meaning no file on the host is protected by standard permission checks once the path validation is bypassed.

Affected systems

Canonical Multipass versions prior to 1.16.3 are affected. This impacts users across Linux, macOS, and Windows platforms where Multipass is deployed for local virtual machine management, development environments, and containerization workflows. Any organization using Multipass for guest VM isolation should assess their deployment scope.

Exploitability

Exploitation requires local access with root privileges inside the guest VM, making this a post-compromise attack rather than a remote or unauthenticated entry point. However, once an attacker achieves guest root (through other vulnerabilities, misconfigurations, or lateral movement), the path bypass is straightforward to execute via procfs pipe injection without requiring special tools or intricate timing. The attack does not appear in CISA's Known Exploited Vulnerabilities catalog at this time.

Remediation

Update Canonical Multipass to version 1.16.3 or later. Verify the update via official Canonical repositories or the Multipass release notes. Organizations should prioritize patching in environments where guest VMs may be exposed to untrusted users or where guest compromise is a realistic threat model. Until patching is complete, restrict guest root access and implement host-level monitoring of SFTP server activity.

Patch guidance

Upgrade to Multipass 1.16.3 or newer as soon as operationally feasible. Check Canonical's official repositories and release channels for the patched version. Test the update in a non-production environment to confirm compatibility with your VM configurations and workflows before rolling out broadly. Verify that the patched sshfs_server properly normalizes paths and enforces mount boundaries after upgrade.

Detection guidance

Monitor for anomalous SFTP protocol activity within sshfs_server processes, particularly SSH_FXP_OPEN requests containing path traversal sequences (.. or absolute paths). Use file integrity monitoring on the host to detect unauthorized access to files outside expected VM mount points. Audit host-level procfs access patterns; legitimate sshfs_server operation should not involve direct pipe injection from guest processes. Review host system logs for unexpected file access attempts by the root-privileged sshfs_server process originating from malformed requests.

Why prioritize this

This is a HIGH severity virtual machine escape that allows arbitrary file read on the host by a guest-side attacker with root privileges. The combination of high confidentiality impact, direct path to exploitation once guest root is obtained, and the fact that sshfs_server executes as host root makes this a significant risk for environments where guest isolation is a security boundary. Prioritize patching in production deployments, particularly where guest VMs may be shared or exposed to less-trusted users.

Risk score, explained

CVSS 3.1 score of 8.4 (HIGH) reflects a local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), and scope change (S:C) enabling VM escape. High confidentiality impact (C:H) and high integrity impact (I:H) account for arbitrary file read and potential write implications of path normalization flaws. The absence of availability impact (A:N) reflects that this is a data access vulnerability rather than a denial-of-service issue.

Frequently asked questions

Does this vulnerability allow code execution on the host?

The vulnerability is primarily a confidentiality issue enabling arbitrary file read on the host. While path traversal can sometimes lead to code execution (e.g., writing to startup scripts), the base vulnerability is read access. However, organizations should assume that file read access can be leveraged for privilege escalation or code execution if combined with other host weaknesses.

Do I need to patch if my guest VMs are air-gapped or only used by trusted users?

If you control guest VM access and trust all users with guest root, your risk is lower. However, given the simplicity of exploitation once guest root is obtained, patching remains prudent for defense-in-depth. Consider the likelihood of VM compromise through other attack vectors as part of your risk assessment.

What does 'scope change' mean in the CVSS score?

Scope change (S:C) indicates that the vulnerability affects a security domain beyond the vulnerable component itself. In this case, a vulnerability in the guest SFTP client scope breaks the boundary and impacts the host scope, meeting the definition of scope change and increasing severity.

Are there workarounds if I cannot patch immediately?

Limit guest root access to trusted administrators only. Implement host-level monitoring and alerting on sshfs_server process activity. Isolate VMs on restricted networks. However, these are mitigations, not substitutes for patching. Upgrade as soon as feasible.

This analysis is based on available vulnerability data as of the publication date. CVSS scores and vulnerability details are sourced from official advisories and the NVD. Patch version numbers and specific affected product versions should be verified against Canonical's official security advisories and release notes. Organizations should conduct their own risk assessment based on their deployment architecture and threat model. This document does not constitute legal advice or a guarantee of security outcomes. Consult with your security team and official vendor guidance before making patching or mitigation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).