Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal [truncated]
CVE-2026-46703 is a critical vulnerability in Boxlite, a sandbox service for running untrusted code. The flaw allows attackers to write arbitrary content to any path on the host, potentially leading to remote code execution. This issue was patched in version 0.9.0.
CVE-2026-46695 is a critical vulnerability in the Boxlite sandbox service, which allows users to create lightweight virtual machines and launch OCI containers. The issue arises from the service not restricting kernel capabilities inside the container, enabling malicious code to remount directories in rw mode and gain write access to read-only directories. This vulnerability has been patched in version 0.9.0.
