CVE-2026-46703
CRITICAL9.6OCI layer symlink escape → arbitrary host write
Description
Affected versions of `boxlite` extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path (e.g. `escape -> /tmp`) followed by a file entry that resolves through that symlink (e.g. `escape/<path>/pwned.txt`) caused the extractor to write the payload to the host filesystem outside the intended rootfs directory. The fix in v0.9.0 routes every destructive filesystem operation through a `SafeRoot` handle (`openat2(RESOLVE_IN_ROOT)` on Linux, lexical fallback elsewhere) so that no tar entry can resolve outside the extraction root, even with adversarial symlinks placed by earlier entries in the same layer. This is a container-escape during image extraction, exploitable by any user who pulls or loads a malicious OCI image — including via `SimpleBox(rootfs_path=...)` from an untrusted local layout.
Affected packages (6)
- crates.io/boxlitefrom 0, < 0.9.0
- crates.io/boxlite>= 0.0.0-0, < 0.9.0
- crates.io/boxlite-clifrom 0, < 0.9.0
- Go/github.com/boxlite-ai/boxlite/sdks/gofrom 0, < 0.9.0
- npm/@boxlite-ai/boxlitefrom 0, < 0.9.0
- PyPI/boxlitefrom 0, < 0.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (7)
- PATCHhttps://crates.io/crates/boxlite
- PATCHhttps://github.com/boxlite-ai/boxlite
- WEBhttps://github.com/boxlite-ai/boxlite/pull/429
- WEBhttps://github.com/boxlite-ai/boxlite/pull/446
- WEBhttps://github.com/boxlite-ai/boxlite/pull/461
- WEBhttps://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0148.html