External risk intelligence

Boxlite Arbitrary File Write Leading to Host RCE via Malicious OCI Image

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-46703

Boxlite, a service for running untrusted code, has a vulnerability allowing a malicious container image to write arbitrary files to the host system, potentially leading to remote code execution. This requires a user to load the crafted image, and the issue is patched in version 0.9.0.

2Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-46703

The vulnerability requires a user to manually pull and run a malicious OCI image from a registry. While the service processes images, this is not a default internet-facing listening service; it requires user interaction or specific configuration to process untrusted images, making direct public internet exposure uncommon in typical deployments.

PCI scan relevance

PCI Relevance for CVE-2026-46703

Yes

CVE-2026-46703 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an attacker to write arbitrary files on the host system, potentially leading to remote code execution, which could cause a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Boxlite, a service for running untrusted code in lightweight virtual machines and containers. The flaw allows an attacker to craft a malicious container image that, when used by a Boxlite user, can compromise the host system by writing arbitrary files and potentially achieving remote code execution. While patched in version 0.9.0, the exposure depends on users intentionally loading untrusted container images.

Malicious container images can compromise host systems.
Leadership should remember this for supply chain risks.
Confirm relevance and exposure related to container images.

Attack Path

How an attacker could exploit the issue

An attacker can create a malicious OCI image containing a symbolic link that targets an absolute path. This image can be uploaded to a public registry, and when a user is tricked into using this image within Boxlite, the symbolic link allows the attacker to write arbitrary content to any location on the host system, potentially leading to remote code execution.

Requires user to load malicious image.
Symbolic link to absolute path.
Arbitrary file write, potential RCE.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to write arbitrary content to any path on the host system when a user loads a specially crafted OCI image into the Boxlite sandbox. This could potentially lead to remote code execution on the host.

Host system files and configurations.
Loading a malicious OCI image.
Remote code execution on the host.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The ownership of this vulnerability lies with the teams managing the Boxlite service, likely a platform or DevOps team. The initial step is to inventory all instances of Boxlite, confirm exposure to untrusted OCI images, and identify the business criticality of each instance to prioritize remediation.

Platform or DevOps teams own the issue.
Verify Boxlite instances process untrusted images.
Plan remediation based on verified exposure.

Frequently asked questions

What is Boxlite?

Boxlite is a sandbox service designed to isolate untrusted code. It enables users to create lightweight virtual machines, known as Boxes, and launch OCI-compliant containers within them. Developers and researchers typically use this technology to safely execute and test external or unverified code by providing a restricted environment that keeps the underlying host system separate from the containerized application process.

What is the vulnerability in CVE-2026-46703?

This vulnerability is an Improper Limitation of a Pathname to a Restricted Directory, classified as CWE-22. It occurs because the software fails to properly handle symbolic links during the processing of OCI image tar entries. If an OCI image contains a symlink pointing to an absolute path outside the intended container scope, the software may follow that link, allowing an attacker to write files anywhere on the host system.

How is this vulnerability triggered?

The flaw is triggered when a user explicitly downloads and runs a specially crafted, malicious OCI image using Boxlite. The system does not become vulnerable simply by installing the software; the exploit requires a user-driven action to load the tainted image. Standard OCI images that do not contain malicious symlinks designed to point to absolute file system paths do not trigger this specific issue.

Is my system at risk?

Halo Surface Signal indicates that exploitation is unlikely in typical deployments because this service is not a default internet-facing listener. Your risk primarily depends on whether your Boxlite instance is configured to automatically or manually pull and process OCI images from external, untrusted sources. Instances restricted to internal, verified image registries have a significantly lower surface for this specific attack.

How do I address this CVE?

The primary response is to upgrade your Boxlite installation to version 0.9.0 or later, which includes the necessary patch to safely handle image symlinks. Before updating, identify all running Boxlite instances and determine which ones are configured to process untrusted images. Prioritize these active environments for the update to mitigate the risk of host-level compromise via malicious container images.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.