CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5199 – LPE on Multipass for macOS
https://notcve.org/view.php?id=CVE-2025-5199
11 Jul 2025 — In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup. • https://github.com/canonical/multipass/pull/4115 • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3747 – MacOS version of Multipass incorrect owner for application directory
https://notcve.org/view.php?id=CVE-2021-3747
01 Oct 2021 — The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, accidentally installed the application directory with incorrect owner. La versión para MacOS de Multipass, versión 1.7.0, corregida en 1.7.2, instalaba accidentalmente el directorio de la aplicación con un propietario incorrecto • https://github.com/canonical/multipass/issues/2261 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3626 – Windows version of Multipass unauthenticated localhost tcp control socket can perform mounts
https://notcve.org/view.php?id=CVE-2021-3626
01 Oct 2021 — The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation. La versión para Windows de Multipass anteriores a 1.7.0, permitía a cualquier proceso local conectarse al socket de control TCP de localhost para llevar a cabo montajes del sistema operativo a un invitado, permitiendo una escalada de privilegios • https://github.com/canonical/multipass/pull/2150 • CWE-73: External Control of File Name or Path CWE-284: Improper Access Control •