CVE-2026-47213— BoxLite 安全漏洞

BoxLite: Timeout Bypass Vulnerability

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

不恰当的资源关闭或释放

BoxLite 安全漏洞

BoxLite是BoxLite开源的一个嵌入式微虚拟机运行时，为AI代理和代码执行场景提供硬件隔离的安全沙箱能力。 BoxLite 0.8.2及之前版本存在安全漏洞，该漏洞源于使用可捕获的SIGALRM信号而非不可捕获的SIGKILL信号终止进程，恶意代码可在超时后继续运行，导致资源耗尽。

N/A

N/A