CVE-2026-46695
Read-only volume remount bypass via guest CAP_SYS_ADMIN
Description
Affected versions of `boxlite` mount host directories shared via virtiofs as guest-side read-only by setting `MS_RDONLY` from the guest. Because the default guest capability set included `CAP_SYS_ADMIN`, untrusted code running inside a sandbox could execute `mount -o remount,rw <path>` to re-flag the share as read-write and then write through to the host filesystem — fully escaping the read-only contract `boxlite` advertised to callers. The fix in v0.9.0 enforces read-only at the hypervisor level via `krun_add_virtiofs3` (so the guest's `MS_RDONLY` is no longer the authoritative gate) and drops `CAP_SYS_ADMIN` from the default guest capability set (matching Docker's defaults). This is a sandbox-escape bug: `boxlite` is a sandboxing runtime, so the read-only invariant is part of its security contract. CVSS rated 10.0 by the upstream advisory.
How to fix CVE-2026-46695
To remediate CVE-2026-46695, upgrade the affected package to a fixed version below.
- —upgrade to 0.9.0 or later
- —upgrade to 0.9.0 or later
- —upgrade to 0.9.0 or later
- —upgrade to 0.9.0 or later
- —upgrade to 0.9.0 or later
- —upgrade to 0.9.0 or later
Is CVE-2026-46695 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46695.
Affected packages (6)
- from 0, < 0.9.0
- >= 0.0.0-0, < 0.9.0
- from 0, < 0.9.0
- from 0, < 0.9.0
- from 0, < 0.9.0
- from 0, < 0.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |