Executive Summary

CVE-2026-49237 is a local privilege escalation vulnerability in Canonical Multipass for macOS versions 1.16.1 and earlier. The problem occurs because five auxiliary binaries in the installation directory remain writable by the installing user, even though the main daemon binary is owned by root. The root-owned daemon uses a PATH environment variable that prioritizes this user-writable directory and calls these binaries by name. A local attacker can replace one of these binaries with a malicious version, which then executes with root privileges when invoked by the daemon, allowing the attacker to gain full root access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker who has installed Multipass to silently and persistently escalate their privileges to root without needing a password, user interaction, or network access. This means the attacker can execute arbitrary code with full root privileges, compromising system confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the ownership and permissions of the five critical binaries located in /Library/Application Support/com.canonical.multipass/bin/. These binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) should not be writable by the installing user.

• Run the command: ls -l "/Library/Application Support/com.canonical.multipass/bin/" to list the ownership and permissions of the binaries.
• Verify that the ownership of these binaries is root:wheel and that they are not writable by non-root users.
• Example command to check ownership and permissions: ls -l "/Library/Application Support/com.canonical.multipass/bin/multipass"
• If any of these binaries are owned by the installing user or are writable by non-root users, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Multipass for macOS to version 1.16.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, manually correct the ownership and permissions of the affected binaries to root:wheel and remove write permissions for non-root users.

• Change ownership: sudo chown root:wheel "/Library/Application Support/com.canonical.multipass/bin/multipass" (repeat for each affected binary)
• Remove write permissions for group and others: sudo chmod go-w "/Library/Application Support/com.canonical.multipass/bin/multipass" (repeat for each affected binary)

These steps prevent local attackers from replacing the auxiliary binaries with malicious wrappers, thus mitigating the local privilege escalation risk.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a local attacker to escalate privileges to root by replacing user-writable binaries invoked by a root daemon. Such unauthorized root access can lead to compromise of system confidentiality, integrity, and availability.

From a compliance perspective, this type of vulnerability can negatively impact adherence to standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system access controls.

If exploited, the vulnerability could lead to unauthorized access to personal or protected health information, violating data protection requirements and potentially resulting in non-compliance with these regulations.

Useful 0 Not Useful 0