ZeroPath at Black Hat USA 2026

Brief Summary: Canonical Multipass CVE-2026-49238 VM Escape via SFTP Path Traversal and Pipe Injection

A short review of CVE-2026-49238, a high severity path traversal vulnerability in Canonical Multipass that allows a guest VM root user to read arbitrary files on the host filesystem by injecting raw SFTP frames through procfs pipes, effectively achieving a virtual machine escape.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Brief Summary: Canonical Multipass CVE-2026-49238 VM Escape via SFTP Path Traversal and Pipe Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A path traversal flaw in Canonical Multipass's host side SFTP server allows a root user inside a guest virtual machine to read arbitrary files on the host filesystem, effectively breaking VM isolation entirely. For development teams running Multipass on macOS with mounted directories, this means that sensitive host credentials like SSH keys and cloud API tokens are directly accessible from within what was assumed to be a sandboxed environment.

Canonical Multipass is a lightweight VM manager for Linux, Windows, and macOS that lets developers spin up Ubuntu environments with a single command, using KVM on Linux, Hyper-V on Windows, and QEMU on macOS. The project has 9.1k stars and 795+ forks on GitHub, reflecting significant adoption in developer workflows. It occupies a notable position in the Ubuntu ecosystem as Canonical's recommended tool for local Ubuntu VM orchestration.

Technical Information

Root Cause: Flawed Path Validation

The vulnerability originates in the validate_path function located at lines 226 through 232 of src/sshfs_mount/sftp_server.cpp in the Multipass source code. This function is responsible for ensuring that SFTP requests from the guest VM only access paths within the designated mount boundary on the host. The implementation performs only a plain string prefix comparison on requested paths, with no path separator validation and no dot-dot (..) normalization.

This means a path such as /Users/user/multipass_restrict/../.aws/credentials passes the prefix check because its initial bytes match the allowed source path prefix. The operating system then resolves the .. traversal at ::open() time on the host, effectively escaping the mount boundary. This is a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) issue, a vulnerability class that MITRE and OWASP have documented extensively with well established mitigation patterns: canonicalize the path (resolve .., symlinks, and redundant separators) before comparing against the allowed directory, then verify the resolved path remains within the boundary.

The Pipe Injection Attack Vector

The exploitation technique bypasses the FUSE layer entirely. In normal operation, the sshfs_server process communicates with the guest VM through stdin/stdout pipes using the raw SFTP binary protocol. Critically, after the SFTP handshake completes, a root process inside the guest can access these pipes directly via the procfs filesystem at /proc/<sshfs_pid>/fd/1 (stdout) and /proc/<sshfs_pid>/fd/0 (stdin).

The sshfs_server process executes with root privileges on the host. This is the core of the severity: any path that passes the flawed validate_path check is then opened by a root process, meaning the attacker inherits full root file access on the host.

Step by Step Attack Flow

The GitHub advisory (GHSA-rhp2-23c4-r34w) describes a Python proof of concept script that demonstrates the full attack chain:

  1. Obtain root in the guest: The default ubuntu user in a Multipass VM belongs to the sudo group with no password prompt. Privilege escalation within the guest is trivial.

  2. Identify the sshfs PID: The attacker locates the process ID of the sshfs process running on the host but accessible from the guest.

  3. Send SIGSTOP: The attacker sends SIGSTOP to the sshfs process, pausing its normal operation and preventing it from interfering with the injected frames.

  4. Inject raw SFTP frames: The attacker writes a malicious SSH_FXP_OPEN request directly into the sshfs process's stdin pipe via /proc/<sshfs_pid>/fd/0, specifying a path containing directory traversal sequences that match the allowed mount prefix.

  5. Read the response: The attacker reads the file handle and file data from the sshfs process's stdout pipe via /proc/<sshfs_pid>/fd/1.

  6. Complete the transaction: A full SSH_FXP_OPEN, SSH_FXP_READ, SSH_FXP_CLOSE transaction is executed to read sensitive host files such as ~/.aws/credentials or ~/.ssh/id_rsa.

  7. Send SIGCONT: The attacker resumes the sshfs process, restoring normal mount operation and leaving no artifact on the host.

Attack Prerequisites

The prerequisites for exploitation are notably low:

PrerequisiteDetailDifficulty
Running Multipass VMVM must be active on the hostLow (default operation)
Host directory mountedMount via multipass mount (default in standard installation)Low (default configuration)
Root inside guestubuntu user has passwordless sudoLow (trivial)
Access to procfs/proc/<pid>/fd/* accessible from guestLow (Linux default)

CVSS Vector Analysis

The CVSS v3.1 vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, scoring 8.4 (High).

MetricValueRationale
Attack Vector (AV)LocalExploitation requires local access to the guest VM
Attack Complexity (AC)LowNo special conditions required beyond default configuration
Privileges Required (PR)LowPasswordless sudo in default guest makes root trivial
User Interaction (UI)NoneNo host user action needed
Scope (S)ChangedImpact crosses trust boundary from guest to host
Confidentiality (C)HighArbitrary host file read with root privileges
Integrity (I)HighScope change to host implies integrity risk
Availability (A)NoneNo direct availability impact

The Scope: Changed designation is particularly significant here. It reflects the fact that the vulnerability crosses the guest/host isolation boundary, which is the fundamental security guarantee that VM technology is supposed to provide.

Defense in Depth Failure

This vulnerability represents a failure at multiple layers simultaneously. The validate_path function used string prefix matching rather than canonicalized path comparison. Beyond that, the SFTP binary protocol on stdin/stdout was exposed to the guest via procfs without additional access controls. And at the VM isolation layer, the default passwordless sudo configuration in the guest lowered the privilege barrier to near zero. The attack also leaves no artifact on the host filesystem, meaning host based monitoring alone may not detect exploitation.

Affected Systems and Versions

All versions of Canonical Multipass prior to version 1.16.3 are affected. The confirmed test environment in the advisory was macOS Tahoe 26.4.1 with Multipass 1.16.1+mac. The advisory specifically notes that all versions of Multipass on macOS up to and including 1.16.2 are affected.

The vulnerability requires that a host directory has been mounted into the guest VM via multipass mount. Systems without mounted directories are not exploitable through this vector.

Multipass version 1.16.3 contains the fix, described in the release notes as "[sshfs] Sshfs path normalization." As of May 20, 2026, the release candidate v1.16.3-rc2 was available as a pre-release on GitHub.

Vendor Security History

Multipass has experienced a pattern of local privilege escalation vulnerabilities over the past five years:

CVEYearDescription
CVE-2021-36262021Windows localhost TCP control socket allowed any local process to perform mounts
CVE-2025-51992025Incorrect default permissions on macOS allowed local privilege escalation
CVE-2026-492382026Path traversal via pipe injection enables VM escape

All three CVEs share a common theme: default configuration or implementation errors in boundary enforcement, rather than subtle cryptographic or logic flaws. macOS appears as a repeated affected platform. This pattern suggests that Canonical's development process for Multipass would benefit from systematic threat modeling focused on the guest/host boundary, rather than relying on individual bug discoveries to surface these issues incrementally.

The researcher credited with discovering CVE-2026-49238 is @espreto, and the advisory was published by ricab on the GitHub security advisories page.

Canonical followed a responsible disclosure timeline for this vulnerability: the 1.16.3 release candidate was published on May 20, 2026, eight days before the advisory went public on May 28, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization