The vulnerability exists in the sshfs_server component of Canonical Multipass prior to version 1.16.3. The validate_path function performs an insufficient check on requested file paths, relying on a plain string prefix comparison that does not account for directory traversal sequences (e.g., '..') or path separators. A local attacker with root access inside a guest VM can inject raw SFTP frames directly into the sshfs_server process via procfs, bypassing the FUSE layer. By crafting paths that include directory traversal sequences matching the allowed mount prefix, the attacker can cause the host-side root process to open files outside the intended mount boundary, enabling arbitrary file read access on the host and effectively escaping the VM sandbox.

This vulnerability allows a local attacker with root privileges inside a guest virtual machine to read arbitrary files on the host filesystem by escaping the VM sandbox. The impact is a complete compromise of confidentiality and integrity of host files accessible by the root process. Availability is not affected. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability affects Multipass versions before 1.16.3, so upgrading to version 1.16.3 or later is expected to address the issue once the vendor releases the fix. Until then, restrict root access inside guest VMs and monitor for suspicious activity related to SFTP server interactions. Avoid running untrusted code with root privileges inside guest VMs.