CVE-2021-3626

HIGH

Multipass < 1.7.0 - Unauthenticated Privilege Escalation via Localhost TCP Control Socket

Title source: llm
STIX 2.1

Description

The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation.

References (1)

Core 1
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/canonical/multipass/pull/2150

Scores

CVSS v3 8.8
EPSS 0.0005
EPSS Percentile 14.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-284 CWE-73
Status published
Products (1)
canonical/multipass < 1.7.0
Published Oct 01, 2021
Tracked Since Feb 18, 2026