PatchSiren cyber security CVE debrief
CVE-2026-49237 Canonical CVE debrief
This CVE documents an incomplete remediation of CVE-2025-5199 in Canonical Multipass for macOS. Version 1.16.0 corrected ownership of the multipassd daemon binary to root:wheel, but left five auxiliary binaries in /Library/Application Support/com.canonical.multipass/bin/ owned by the installing user and writable. The root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH that prioritizes this user-writable directory and invokes these binaries by bare name. A local attacker can replace an auxiliary binary (e.g., qemu-img) with a malicious wrapper; when the daemon triggers it during routine operations such as `multipass launch`, the attacker's code executes with root privileges. This represents a local privilege escalation via writable auxiliary executables in a privileged PATH.
- Vendor
- Canonical
- Product
- Multipass
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations and individuals running Canonical Multipass on macOS systems, particularly multi-user environments or systems where untrusted users have local access. System administrators responsible for macOS endpoint security and developers using Multipass for local virtualization workloads.
Technical summary
The vulnerability stems from an incomplete security update. While the main daemon binary ownership was corrected in version 1.16.0, five co-located auxiliary binaries remained with user-writable permissions. The root-privileged LaunchDaemon's PATH configuration prioritizes the directory containing these binaries and invokes them by unqualified name. This allows a local attacker with user privileges to substitute a malicious binary that will be executed by root during normal daemon operations, achieving privilege escalation. The attack requires local access and write permissions to the Multipass bin directory, with no user interaction needed for exploitation once the malicious binary is in place.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Canonical Multipass 1.16.3 or later for macOS.
- Verify that all binaries in /Library/Application Support/com.canonical.multipass/bin/ are owned by root:wheel and not writable by group or other.
- Review LaunchDaemon configuration for PATH environment variable hardening.
- Audit for unexpected modifications to auxiliary binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, sshfs_server).
- If immediate patching is not possible, restrict local access to the affected system and monitor for unauthorized file modifications in the Multipass bin directory.
Evidence notes
NVD record published 2026-05-28T14:16:24.270Z; modified 2026-05-28T18:00:33.730Z. Advisory reference from [email protected] links to GitHub Security Advisory GHSA-r2xg-x32f-23c5. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields 7.8 (HIGH). CWE-276 (Incorrect Default Permissions) cited.
Official resources
-
CVE-2026-49237 CVE record
CVE.org
-
CVE-2026-49237 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28