Cyber Resilience

CVE-2026-49238

HighPublic PoC

Published: 28 May 2026

Published
28 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0050 39.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-49238 is a high-severity Path Traversal (CWE-22) vulnerability in Canonical Multipass. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a…

more

plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Path traversal in privileged host-side SFTP component directly enables guest-to-host escape for arbitrary file access (T1611).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7875Shared CWE-22
CVE-2026-24843Shared CWE-22
CVE-2026-34177Same vendor: Canonical
CVE-2026-34178Same vendor: Canonical
CVE-2025-53513Same vendor: Canonical
CVE-2026-49237Same product: Canonical Multipass
CVE-2026-27523Shared CWE-22
CVE-2026-28457Shared CWE-22
CVE-2026-47331Same vendor: Canonical
CVE-2026-23954Shared CWE-22

Affected Assets

canonical
multipass
≤ 1.16.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References