CVE-2026-47213
Received Received - Intake
Timeout Signal Handling Flaw in Boxlite

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-47213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
boxlite boxlite to 0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Boxlite is a sandbox service that allows users to run untrusted code inside lightweight virtual machines called Boxes. In versions 0.8.2 and earlier, Boxlite lets users set a timeout for services running inside these virtual machines. When the timeout is reached, Boxlite is supposed to kill the process to stop it. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. This means malicious code inside the sandbox can catch the signal and avoid being killed, allowing it to keep running even after the timeout.

As a result, the malicious code can continue consuming resources inside the virtual machine, leading to resource exhaustion and potentially affecting the availability of the Boxlite service.

Impact Analysis

This vulnerability can allow malicious code running inside the Boxlite sandbox to evade termination after a timeout, causing it to continue consuming system resources.

The continued resource consumption can lead to resource exhaustion within the virtual machine, which may degrade or disrupt the availability of the Boxlite service.

This can impact system stability and availability, potentially affecting other services or users relying on Boxlite.

Mitigation Strategies

To mitigate this vulnerability, you should update Boxlite to a version that includes the patch applied via commit 28159fc. This patch changes the signal used to terminate timed-out processes from the catchable SIGALRM to the uncatchable SIGKILL, preventing malicious code from continuing to run after the timeout.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart