CVE-2026-47213

MEDIUM 6.5

BoxLite: Timeout Bypass Vulnerability

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.

CWE	CWE-404
Vendor	boxlite-ai
Product	boxlite
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for boxlite-ai boxlite

Be the first to know when new medium vulnerabilities affecting boxlite-ai boxlite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

boxlite-ai / boxlite

<= 0.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-xjhv-pp2r-6f82 github.com: https://github.com/boxlite-ai/boxlite/commit/28159fc5b6b6fd5037e18a58fc4644c882e3c581