{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/boxlite/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Boxlite"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","persistence","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":["Boxlite"],"content_html":"\u003cp\u003eBoxlite is a sandbox service designed to allow users to execute untrusted code in lightweight virtual machines (Boxes). A key security feature is the ability to mount host directories in read-only mode into the VM using the virtiofs protocol, preventing modifications to host data. However, a vulnerability exists that allows malicious code within the container to bypass these read-only restrictions. This is because Boxlite\u0026rsquo;s implementation relies on adding the MS_RDONLY flag \u003cem\u003eafter\u003c/em\u003e mounting, and does not restrict kernel capabilities.  Malicious code can remount the directory in read-write mode. In typical usage scenarios, such as AI Agent sandboxes where user code, virtual environments, and configuration files are mounted read-only, this vulnerability allows attackers to plant malicious code and gain code execution on the host, leading to supply chain risks. The vulnerability exists because the underlying libkrun library does not support read-only mounts, and Boxlite\u0026rsquo;s guest agent (Zone 0) is not trusted to enforce the restriction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user mounts a host directory into a Boxlite VM with the \u003ccode\u003eread_only\u003c/code\u003e flag set to \u003ccode\u003etrue\u003c/code\u003e in the \u003ccode\u003eVolumeSpec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Boxlite runtime logs the \u003ccode\u003eread_only\u003c/code\u003e setting but does not pass it to the \u003ccode\u003ekrun_add_virtiofs\u003c/code\u003e function, which lacks a read-only parameter.\u003c/li\u003e\n\u003cli\u003eThe hypervisor exposes the virtiofs share to the guest with full read-write access at the device level via \u003ccode\u003elibkrun\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eread_only\u003c/code\u003e flag is sent to the guest agent as a mount instruction via gRPC.\u003c/li\u003e\n\u003cli\u003eThe guest agent, running untrusted code, receives the mount instruction with the \u003ccode\u003eread_only\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe malicious code uses the \u003ccode\u003emount\u003c/code\u003e command with the \u003ccode\u003eremount,rw\u003c/code\u003e options to change the mount flags of the virtiofs share from read-only to read-write.\u003c/li\u003e\n\u003cli\u003eThe attacker writes to the now writable directory, modifying or creating files on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains code execution capability on the host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows malicious code running inside a Boxlite sandbox to bypass intended security restrictions and perform arbitrary write operations on directories that were supposed to be read-only.  This can lead to code execution on the host, potentially compromising user data, virtual environments, and configuration files. This is especially dangerous in AI Agent scenarios, potentially leading to supply chain risks by planting malicious code in trusted environments. While the exact number of victims is unknown, the impact on affected Boxlite deployments could be significant, especially those relying on the read-only mount feature for security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Boxlite that addresses the read-only bypass vulnerability (reference: GHSA-g6ww-w5j2-r7x3).\u003c/li\u003e\n\u003cli\u003eImplement a capability drop profile to remove the \u003ccode\u003eCAP_SYS_ADMIN\u003c/code\u003e capability from the container, preventing the remount attack (reference: Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Boxlite Read-Only Bypass via Mount Remount\u0026rdquo; to detect attempts to remount file systems within Boxlite containers (reference: rules).\u003c/li\u003e\n\u003cli\u003eReview all volume specifications to ensure that sensitive host directories are not being mounted into Boxlite VMs without adequate write protection (reference: Attack Chain step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:54:26Z","date_published":"2026-05-21T21:54:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-boxlite-ro-bypass/","summary":"Boxlite, a sandbox service, allows malicious code within a container to bypass read-only restrictions on mounted host directories using virtiofs, due to missing hypervisor-level enforcement and unrestricted kernel capabilities, leading to potential code execution on the host and supply chain risks.","title":"Boxlite: Permission Bypass Allows Modification of Read-Only Files via virtiofs","url":"https://feed.craftedsignal.io/briefs/2026-05-boxlite-ro-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Boxlite","version":"https://jsonfeed.org/version/1.1"}