Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.
AnalysisAI
Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files on the host filesystem by bypassing the host-side sshfs_server path containment. The flaw lives in the validate_path function (CWE-22 path traversal), which uses naive string prefix matching and accepts dot-dot sequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, though the technical write-up in the GHSA advisory provides enough detail to make exploitation reproducible.
Technical ContextAI
Multipass is Canonical's lightweight VM orchestrator that uses sshfs/FUSE to mount host directories into guest VMs. The vulnerable component is sshfs_server (src/sshfs_mount/sftp_server.cpp), a host-side helper that runs as root and brokers SFTP traffic for the FUSE mount. Its validate_path function is supposed to ensure that any requested path remains beneath an allowed mount prefix, but it performs only a plain std::string prefix comparison - there is no canonicalisation, no check that the next character after the prefix is a path separator, and no resolution of '..' components, which is the canonical CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) pattern. Because the guest can reach the sshfs_server process's stdin/stdout via /proc on the host-facing side of the pipe and inject raw SFTP frames (e.g. SSH_FXP_OPEN), the attacker bypasses the FUSE layer entirely and speaks directly to the privileged validator.
RemediationAI
Vendor-released patch: upgrade Canonical Multipass to 1.16.3 or later, which is the fixed version cited in the GHSA-rhp2-23c4-r34w advisory (https://github.com/canonical/multipass/security/advisories/GHSA-rhp2-23c4-r34w). Until patching is possible, stop mounting host directories into untrusted guests by avoiding 'multipass mount' and removing existing mounts with 'multipass umount', which eliminates the sshfs_server attack surface but breaks any workflow that depends on shared host folders. Where mounts are required, restrict them to directories that contain no sensitive host content (e.g. a dedicated empty share) and do not grant untrusted users root inside guests, since exploitation requires guest-side root to write raw SFTP frames into the sshfs_server pipes via procfs.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32899