CVE-2026-49238
SFTP Server VM Escape in Canonical Multipass
In short
Canonical Multipass has a flaw in its SFTP server that allows a user inside a virtual machine to access files outside their permitted folder on the host computer. An attacker can trick the server into opening files anywhere on the host system by using special path tricks, potentially exposing sensitive host data.
Technical detail
CVE-2026-49238 exploits insufficient path validation in Multipass's sshfs_server component, which runs as root. The vulnerability stems from plain string prefix comparison without normalization of directory traversal sequences (..), allowing a local root attacker within a guest VM to inject crafted SFTP frames via procfs pipes and bypass FUSE isolation to read arbitrary host filesystem files, achieving VM escape.
Summary generated and translated by AI from the official description.
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N