Description
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
Published: 2026-05-28
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker with root privileges inside a guest virtual machine can exploit a path validation flaw in Canonical Multipass’s SFTP server component (sshfs_server) that runs as root on the host. By crafting an SFTP request containing directory traversal sequences and injecting it directly into the sshfs_server’s stdin/stdout via procfs, the guest can cause the host process to resolve paths outside the allowed mount boundary. This allows the guest to read arbitrary files on the host filesystem, effectively escaping the VM. This vulnerability constitutes a privilege escalation from inside the guest to the host, enabling a virtual machine escape.

Affected Systems

The flaw exists in all versions of Canonical Multipass released before 1.16.3. Users running any pre-1.16.3 build of Multipass are potentially vulnerable. No specific sub-versions are listed, but the entire product line up to 1.16.2 is affected.

Risk and Exploitability

With a CVSS score of 8.4, this vulnerability presents a high severity risk. The exploit requires local root privileges inside the VM and the ability to manipulate the sshfs_server process via procfs, which are conditions that may be hard to meet in a supervised environment but present a significant threat if an attacker gains root in a virtual machine. The EPSS score is currently unavailable, and the issue has not been listed in the CISA KEV catalog. Nonetheless, the high severity and the potential to read any host file make it a dangerous vector for data disclosure and privilege escalation.

Generated by OpenCVE AI on May 28, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Canonical Multipass to version 1.16.3 or later.
  • Restrict guest users to non‑root privileges to mitigate traversal attacks.
  • Disable the host‑side SFTP/sshfs server when it is not required or replace it with a safer file transfer method.

Generated by OpenCVE AI on May 28, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical multipass
Vendors & Products Canonical
Canonical multipass

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
Title SFTP Server VM Escape in Canonical Multipass
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Canonical Multipass
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-05-28T14:24:22.829Z

Reserved: 2026-05-28T12:03:02.295Z

Link: CVE-2026-49238

cve-icon Vulnrichment

Updated: 2026-05-28T14:24:15.595Z

cve-icon NVD

Status : Received

Published: 2026-05-28T14:16:24.403

Modified: 2026-05-28T16:16:29.973

Link: CVE-2026-49238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:30:15Z

Weaknesses