Listen to this Post
How the CVE Works
The vulnerability resides in how Boxlite extracts OCI image layers. When a malicious OCI image is loaded, the `extract_layer_tarball_streaming()` function passes a tar reader to apply_oci_layer(). The latter processes tar entries, and for symlinks (EntryType::Symlink), it calls `create_symlink()` without validating the symlink target. This allows an attacker to create a symlink pointing to an absolute path on the host (e.g., escape -> /tmp). The `ensure_parent_dirs()` function then deliberately preserves such symlinks, treating out-of-root symlinks as valid parent directories. When a subsequent file entry (e.g., escape/pwned.txt) is processed, `create_regular_file()` opens the file path, and the kernel follows the symlink, writing arbitrary content outside the extraction root. This leads to arbitrary file writes on the host, which can be escalated to remote code execution.
DailyCVE Form
Platform: Boxlite
Version: <0.9.0
Vulnerability : Path Traversal
Severity: Critical
date: 2026-05-21
Prediction: 2026-05-21
What Undercode Say
Analytics: The vulnerability is a classic symlink path traversal, similar to CWE-61/CAPEC-132. It highlights the danger of trusting symlink targets during archive extraction. The CVSS score of 10 (RUSTSEC) or 9.7 (GitLab) indicates a severe flaw with high impact on confidentiality, integrity, and availability. The exploitation is straightforward, requiring no privileges, only user interaction (tricking a user into loading a malicious image). The fix implemented in v0.9.0 uses a `SafeRoot` handle with `openat2(RESOLVE_IN_ROOT)` on Linux to prevent path escape.
Bash commands and codes related to the blog
Check if system is vulnerable to CVE-2026-46703 boxlite --version Update to patched version cargo install boxlite --version 0.9.0 Alternatively, for Python/pip pip install boxlite==0.9.0 For npm npm install @boxlite-ai/[email protected] Mitigation: avoid loading untrusted OCI images boxlite load --image untrusted-image:latest Not recommended
How Exploit
An attacker crafts a malicious OCI image containing a tar layer with two key entries: a symlink pointing to an absolute host path (e.g., /tmp), followed by a regular file whose path resolves through that symlink. The image is distributed on platforms like DockerHub. When a user loads the image using Boxlite (e.g., via SimpleBox(rootfs_path=...)), the extraction process writes the file content to the host location, allowing the attacker to overwrite critical files or inject malicious content (e.g., SSH keys into authorized_keys).
Protection from this CVE
- Immediate Update: Upgrade to Boxlite version 0.9.0 or later.
- Network Mitigation: Block untrusted OCI image registries (e.g., DockerHub) at the network level if feasible.
- Host Hardening: Run Boxlite with least privilege; avoid running as root. Use mandatory access controls (e.g., SELinux, AppArmor) to restrict symlink traversal.
- Image Verification: Only use images from trusted sources; verify image signatures and provenance.
- Runtime Sandbox: For older versions, consider running Boxlite within a VM or container with restricted file system access (e.g., read-only root).
Impact
An attacker can achieve arbitrary file write on the host, leading to full system compromise. With root privileges (common for Boxlite), this allows overwriting system binaries, injecting backdoors, or stealing sensitive data. In AI agent scenarios, it can escape read-only mounts and access credentials or configuration files. The vulnerability is critical, with CVSS scores ranging from 9.7 to 10, indicating a network-exploitable, low-complexity flaw with no required privileges and high impact across all security pillars.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

