Boxlite, Path Traversal Vulnerability, CVE-2026-46703 (Critical)

Listen to this Post

How the CVE Works

The vulnerability resides in how Boxlite extracts OCI image layers. When a malicious OCI image is loaded, the `extract_layer_tarball_streaming()` function passes a tar reader to apply_oci_layer(). The latter processes tar entries, and for symlinks (EntryType::Symlink), it calls `create_symlink()` without validating the symlink target. This allows an attacker to create a symlink pointing to an absolute path on the host (e.g., escape -> /tmp). The `ensure_parent_dirs()` function then deliberately preserves such symlinks, treating out-of-root symlinks as valid parent directories. When a subsequent file entry (e.g., escape/pwned.txt) is processed, `create_regular_file()` opens the file path, and the kernel follows the symlink, writing arbitrary content outside the extraction root. This leads to arbitrary file writes on the host, which can be escalated to remote code execution.

DailyCVE Form

Platform: Boxlite
Version: <0.9.0
Vulnerability : Path Traversal
Severity: Critical
date: 2026-05-21

Prediction: 2026-05-21

What Undercode Say

Analytics: The vulnerability is a classic symlink path traversal, similar to CWE-61/CAPEC-132. It highlights the danger of trusting symlink targets during archive extraction. The CVSS score of 10 (RUSTSEC) or 9.7 (GitLab) indicates a severe flaw with high impact on confidentiality, integrity, and availability. The exploitation is straightforward, requiring no privileges, only user interaction (tricking a user into loading a malicious image). The fix implemented in v0.9.0 uses a `SafeRoot` handle with `openat2(RESOLVE_IN_ROOT)` on Linux to prevent path escape.

Bash commands and codes related to the blog

Check if system is vulnerable to CVE-2026-46703
boxlite --version
Update to patched version
cargo install boxlite --version 0.9.0
Alternatively, for Python/pip
pip install boxlite==0.9.0
For npm
npm install @boxlite-ai/[email protected]
Mitigation: avoid loading untrusted OCI images
boxlite load --image untrusted-image:latest Not recommended

How Exploit

An attacker crafts a malicious OCI image containing a tar layer with two key entries: a symlink pointing to an absolute host path (e.g., /tmp), followed by a regular file whose path resolves through that symlink. The image is distributed on platforms like DockerHub. When a user loads the image using Boxlite (e.g., via SimpleBox(rootfs_path=...)), the extraction process writes the file content to the host location, allowing the attacker to overwrite critical files or inject malicious content (e.g., SSH keys into authorized_keys).

Protection from this CVE

  • Immediate Update: Upgrade to Boxlite version 0.9.0 or later.
  • Network Mitigation: Block untrusted OCI image registries (e.g., DockerHub) at the network level if feasible.
  • Host Hardening: Run Boxlite with least privilege; avoid running as root. Use mandatory access controls (e.g., SELinux, AppArmor) to restrict symlink traversal.
  • Image Verification: Only use images from trusted sources; verify image signatures and provenance.
  • Runtime Sandbox: For older versions, consider running Boxlite within a VM or container with restricted file system access (e.g., read-only root).

Impact

An attacker can achieve arbitrary file write on the host, leading to full system compromise. With root privileges (common for Boxlite), this allows overwriting system binaries, injecting backdoors, or stealing sensitive data. In AI agent scenarios, it can escape read-only mounts and access credentials or configuration files. The vulnerability is critical, with CVSS scores ranging from 9.7 to 10, indicating a network-exploitable, low-complexity flaw with no required privileges and high impact across all security pillars.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top