Executive Summary

This vulnerability exists in Boxlite, a sandbox service that allows users to create lightweight virtual machines and run OCI containers. Prior to version 0.9.0, Boxlite did not restrict kernel capabilities inside the container, which allowed malicious code to remount directories in read-write mode. This means that code running inside the container could gain unauthorized write access to directories that should have been read-only.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to perform arbitrary write operations on directories that are supposed to be read-only. This can lead to unauthorized modification of files, potentially compromising the integrity and security of the system. Because the vulnerability can be exploited remotely without any privileges or user interaction, it poses a critical risk.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Boxlite to version 0.9.0 or later, as this version includes a patch that restricts kernel capabilities inside containers, preventing malicious code from remounting directories in read-write mode.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-46695 allows malicious code running inside Boxlite sandboxes to bypass read-only file restrictions and perform arbitrary write operations on directories that should be read-only. This can lead to unauthorized modification of user code, virtual environments, credentials, or configuration files.

Such unauthorized modifications and potential full host compromise pose significant risks to data integrity and confidentiality, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if this vulnerability is exploited, it could lead to non-compliance with these regulations due to unauthorized access and modification of sensitive data or system configurations.

Mitigation requires upgrading to Boxlite version 0.9.0 or later, which implements multiple layers of defense including hypervisor-level read-only enforcement, capability restrictions, and network isolation to prevent such attacks.

Useful 0 Not Useful 0

Detection Guidance

There is no specific detection command or network/system scanning method provided in the available resources for CVE-2026-46695.

However, users can verify if their Boxlite installation is vulnerable by checking the version. Versions prior to 0.9.0 are affected, so confirming the Boxlite version is a key step.

To check the installed Boxlite version, you can run a command similar to:

• boxlite --version

If the version is below 0.9.0, the system is vulnerable and should be upgraded immediately.

Since the vulnerability involves the ability to remount read-only directories as read-write inside containers, monitoring for unexpected remount operations or changes to read-only volumes could help detect exploitation attempts, but no specific commands or detection tools are provided.

Useful 0 Not Useful 0