CVE-2021-3626 HIGH

CVE-2021-3626: Windows version of Multipass unauthenticated localhost tcp control socket can perform mounts

Vendor Canonical
Product Multipass
Weakness CWE-73
Published October 1, 2021
Last update September 17, 2024

CVSS base score

8.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Windows version of Multipass before 1.7.0 allowed any local process to connect to the localhost TCP control socket to perform mounts from the operating system to a guest, allowing for privilege escalation.

Key dates

02Disclosure timeline

October 1, 2021 CVE published
September 17, 2024 Record updated