CVE-2026-49237

Source
https://cve.org/CVERecord?id=CVE-2026-49237
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49237.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49237
Aliases
  • GHSA-r2xg-x32f-23c5
Published
2026-05-28T13:22:42.840Z
Modified
2026-07-08T08:13:55.198835659Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Local Privilege Escalation in Canonical Multipass
Details

An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x8664, and sshfsserver) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49237.json",
    "cwe_ids": [
        "CWE-276"
    ],
    "cna_assigner": "canonical"
}
References

Affected packages

Git / github.com/canonical/multipass

Affected ranges

Type
GIT
Repo
https://github.com/canonical/multipass
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:canonical:multipass:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.16.3"
        }
    ]
}

Affected versions

2017.*
2017.2.1
2017.2.3
2018.*
2018.10.1
2018.11.1-pre1
2018.11.1-pre2
2018.11.1-pre3
2018.12.1-rc1
2018.4.1
2018.4.2
v0.*
v0.10.0-dev
v0.10.0-rc
v0.10.1-rc
v0.11.0-dev
v0.5
v0.6.0-pre1
v0.6.0-rc
v0.7.0-dev
v0.7.0-dev2
v0.7.0-rc
v0.8.0
v0.8.0-dev
v0.8.0-rc
v0.9.0-dev
v0.9.0-rc
v1.*
v1.1.0-dev
v1.1.0-rc
v1.10.0-dev
v1.10.0-rc
v1.11.0-dev
v1.11.0-rc
v1.12.0-dev
v1.12.0-rc
v1.13.0-dev
v1.13.0-rc
v1.14.0-dev
v1.14.0-rc
v1.14.0-rc1
v1.15.0-dev
v1.15.0-rc1
v1.16.0
v1.16.0-dev
v1.16.0-rc1
v1.16.0-rc2
v1.16.0-rc3
v1.16.0-rc4
v1.16.0-rc5
v1.16.1
v1.16.1-rc1
v1.16.1-rc2
v1.16.1-rc3
v1.16.2
v1.16.2-rc1
v1.16.2-rc2
v1.16.2-rc3
v1.16.3-rc1
v1.2.0
v1.2.0-dev
v1.2.0-rc
v1.2.1
v1.3.0-dev
v1.3.0-rc
v1.4.0-dev
v1.4.0-rc
v1.5.0-dev
v1.5.0-rc
v1.6.0-dev
v1.6.0-rc
v1.7.0-dev
v1.7.0-rc
v1.8.0-dev
v1.8.0-rc
v1.9.0-dev
v1.9.0-rc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49237.json"