CVE Catalog

CVE-2026-46703

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

41th percentile — higher than 41% of all known CVEs

Summary

Boxlite is a sandbox service that allows users to create lightweight virtual machines and run OCI containers. In versions prior to 0.9.0, Boxlite does not account for the possibility that tar entries in OCI images may be symlinks pointing to absolute paths, allowing an attacker to execute malicious code on the host.

Risk Assessment

An attacker can craft a malicious OCI image and distribute it on hosting platforms, potentially leading to unauthorized data writes on the host and remote code execution.

Recommendation

It is recommended to update Boxlite to version 0.9.0 or later to mitigate these vulnerabilities.

Original NVD description (English source)

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS