CVE-2026-39421
Sandbox Escape in MaxKB ToolExecutor Enables Arbitrary Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxkb | maxkb | to 2.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MaxKB allows an authenticated attacker with workspace privileges to bypass sandbox restrictions and achieve arbitrary code execution, enabling full network exfiltration and container compromise.
Such unauthorized access and potential data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on data confidentiality and integrity.
Therefore, if exploited, this vulnerability could negatively impact compliance with these standards by exposing sensitive data or compromising system integrity.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with workspace privileges to escape the sandbox protections and execute arbitrary code within the container running MaxKB. This can lead to full network exfiltration and compromise of the container environment.
- Arbitrary code execution inside the container.
- Bypassing sandbox restrictions designed to isolate and contain code.
- Potential leakage of sensitive data through network exfiltration.
- Compromise of container integrity and security.
Can you explain this vulnerability to me?
CVE-2026-39421 is a sandbox escape vulnerability in the ToolExecutor component of MaxKB, an open-source AI assistant for enterprise. Versions 2.7.1 and below rely on LD_PRELOAD-based interception to block critical system functions and prevent executable memory allocation within sandboxed Python processes. However, this mechanism fails to intercept the modern system call SYS_pkey_mprotect, which can be used to make memory executable.
An authenticated attacker with workspace privileges can exploit this by using Python's ctypes library to perform raw system calls directly to the kernel. The attacker dynamically allocates memory, makes it executable using pkey_mprotect (bypassing the sandbox's mprotect hook), injects assembly code, and executes arbitrary raw syscalls. This bypasses all user-space sandbox interceptions, enabling arbitrary code execution within the container.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual use of Python's ctypes library to perform raw system calls, especially the unmonitored SYS_pkey_mprotect system call (syscall number 329). Since the exploit bypasses LD_PRELOAD sandbox hooks by executing raw syscalls directly, traditional interception methods may not detect it.
You can look for suspicious Python processes that allocate executable memory dynamically and invoke system calls directly. Monitoring system calls like pkey_mprotect and unusual mmap usage from Python processes can be indicative.
- Use system call tracing tools such as `strace` to monitor Python processes for calls to `pkey_mprotect` (syscall 329) and `mmap` with executable permissions.
- Example command to trace a running Python process (replace <pid> with the process ID): `strace -p <pid> -e trace=mmap,pkey_mprotect`
- Alternatively, use auditd or eBPF-based tools to monitor syscalls globally or per container for suspicious activity involving `pkey_mprotect`.
Additionally, monitoring network traffic for unexpected exfiltration attempts from containers running vulnerable MaxKB versions may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to upgrade MaxKB to version 2.8.0 or later, where this sandbox escape vulnerability has been fixed.
If upgrading immediately is not possible, consider the following steps:
- Restrict workspace privileges to trusted users only, as exploitation requires authenticated workspace access.
- Enhance monitoring and restrict the use of Python's ctypes library or dynamic library loading within the environment.
- Apply additional sandbox configuration controls to disable dynamic library loading via the new `SANDBOX_PYTHON_ALLOW_DL_OPEN` parameter if supported.
- Implement system call filtering to block or monitor `SYS_pkey_mprotect` (syscall 329) to prevent unauthorized executable memory allocation.
These mitigations align with the security patch that adds system call filtering for `pkey_mprotect` and restricts dynamic library loading to prevent arbitrary code execution.