A critical sandbox-escape vulnerability in Boxlite allows attackers to gain unauthorized write access to host directories, necessitating an immediate update to version 0.9.0.

This is a sandbox-escape vulnerability where untrusted code can remount host directories from read-only to read-write. The issue stems from a failure to restrict kernel capabilities and drop CAP_SYS_ADMIN from the guest, which is accessible to unauthenticated attackers running code within the container.

Successful exploitation allows an attacker to bypass critical security boundaries, gaining unauthorized write access to host directories that should be read-only. Given the CVSS score of 10.0, this represents a total compromise of the sandbox integrity, potentially leading to system-wide data corruption or further privilege escalation on the host server.

Immediate Action: Upgrade Boxlite to version 0.9.0 or later, which enforces read-only status at the hypervisor level and drops CAP_SYS_ADMIN from the guest.

Proactive Monitoring: Monitor system logs for unexpected file system remount commands or unauthorized write activity within container environments.

Compensating Controls: Implement strict resource constraints and restrict the usage of privileged containers until the patch can be applied.

Public Exploit Available: True

The severity of this vulnerability is extreme, as it effectively nullifies the isolation provided by the Boxlite sandbox. Administrators must immediately upgrade to version 0.9.0 to enforce the necessary hypervisor-level security controls and prevent arbitrary code execution on the underlying host.