CVE-2026-47213
Deferred Deferred - Pending Action

Timeout Signal Handling Flaw in Boxlite

Vulnerability report for CVE-2026-47213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
boxlite boxlite to 0.8.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Boxlite is a sandbox service that allows users to run untrusted code inside lightweight virtual machines called Boxes. In versions 0.8.2 and earlier, Boxlite lets users set a timeout for services running inside these virtual machines. When the timeout is reached, Boxlite is supposed to kill the process to stop it. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. This means malicious code inside the sandbox can catch the signal and avoid being killed, allowing it to keep running even after the timeout.

As a result, the malicious code can continue consuming resources inside the virtual machine, leading to resource exhaustion and potentially affecting the availability of the Boxlite service.

Impact Analysis

This vulnerability can allow malicious code running inside the Boxlite sandbox to evade termination after a timeout, causing it to continue consuming system resources.

The continued resource consumption can lead to resource exhaustion within the virtual machine, which may degrade or disrupt the availability of the Boxlite service.

This can impact system stability and availability, potentially affecting other services or users relying on Boxlite.

Mitigation Strategies

To mitigate this vulnerability, you should update Boxlite to a version that includes the patch applied via commit 28159fc. This patch changes the signal used to terminate timed-out processes from the catchable SIGALRM to the uncatchable SIGKILL, preventing malicious code from continuing to run after the timeout.

Compliance Impact

The vulnerability in Boxlite allows malicious code to bypass process timeouts, leading to resource exhaustion and impacting the availability of the Boxlite service.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the availability impact caused by this vulnerability could potentially affect compliance with regulations that require maintaining service availability and reliability.

However, there is no direct information provided about specific compliance implications or violations related to this vulnerability.

Detection Guidance

This vulnerability can be detected by checking if the Boxlite sandbox service version is 0.8.2 or earlier, as these versions use the catchable SIGALRM signal instead of SIGKILL for process timeouts.

To detect exploitation attempts or presence of the vulnerability, you can monitor processes inside the Boxlite sandbox that ignore or handle the SIGALRM signal, allowing them to run beyond their timeout.

Suggested commands include inspecting running Boxlite processes and their signal handlers. For example, you can check for processes that have installed a custom SIGALRM handler or ignore the signal.

  • Use `ps` or similar tools to identify long-running processes inside the Boxlite sandbox that exceed expected timeout durations.
  • Use `strace` or `gdb` to attach to suspicious processes and check if they have signal handlers for SIGALRM installed.
  • In shell environments inside the sandbox, check for traps on ALRM signals with `trap -p`.
  • In Python scripts running inside the sandbox, look for code using `signal.signal(signal.SIGALRM, signal.SIG_IGN)` or similar to ignore SIGALRM.

Additionally, verifying the Boxlite version and ensuring it includes the patch (commit 28159fc) that replaces SIGALRM with SIGKILL is a direct way to confirm if the vulnerability is present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart