CVE-2025-5199 — Incorrect Default Permissions in Multipass

CWE-276 — Incorrect Default Permissions CWE-863 — Incorrect Authorization2 documents2 sources

Severity

7.8HIGHNVD

CNA7.3

EPSS

0.0%

top 96.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Multipass

Timeline

Latest updateJul 11

PublishedJul 12

Description

In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5canonical/multipass< 1.16.0

▶NVDcanonical/multipass< 1.16.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

LPE on Multipass for macOS↗2025-07-11

▶