CVE-2025-5199

Description

In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Canonical / Multipass0 – 1.16.0

References

VENDOR_ADVISORYhttps://github.com/canonical/multipass/security/advisories/GHSA-2j82-p5cq-62p3
PATCHhttps://github.com/canonical/multipass/pull/4115