MaxKB: Escape de sandbox vía ctypes y unhooked SYS_pkey_mprotect

The impact of CVE-2026-39421 is significant due to its potential for complete container compromise. An attacker who can exploit this vulnerability can bypass the LD_PRELOAD-based sandbox by leveraging Python's ctypes library to directly invoke kernel system calls. This bypass allows the attacker to execute arbitrary code within the container's context, effectively gaining full control. This control extends to network exfiltration, enabling the attacker to steal sensitive data stored within the container or accessible from the network. The ability to execute arbitrary code also opens the door to further exploitation, potentially leading to lateral movement within the enterprise network if the container has access to other resources. This vulnerability shares similarities with other sandbox escape exploits where bypassing security boundaries allows for unrestricted access and control.

Organizations deploying MaxKB as an AI assistant within their enterprise environments are at risk. Specifically, deployments that grant workspace privileges to users who are not thoroughly vetted or who have access to sensitive data are particularly vulnerable. Shared hosting environments utilizing MaxKB also pose a higher risk due to the potential for cross-tenant exploitation.

• python: Monitor Python processes for unusual activity, especially those using ctypes and interacting with system calls. Use ps or top to identify suspicious processes.

ps aux | grep ctypes

• linux / server: Examine system logs (e.g., /var/log/syslog, /var/log/audit/audit.log) for calls to execve, system, connect, and open originating from Python processes within the MaxKB workspace.

journalctl -u maxkb -g 'system call'

• generic web: Monitor network traffic for unusual outbound connections from the MaxKB container to external hosts, particularly on non-standard ports.

curl -v <container_ip>:<port>

1. 2026-04-14Disclosure

   disclosure

1. Reservado2026-04-07
2. Publicada2026-04-14
3. EPSS actualizado2026-04-21

The primary mitigation for CVE-2026-39421 is to immediately upgrade MaxKB to version 2.8.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter workspace privilege controls to limit the potential impact of a successful exploit. While not a complete solution, restricting the attacker's ability to execute code within the workspace can reduce the scope of the compromise. Monitoring for unusual Python process activity, particularly those utilizing ctypes and interacting with system calls, can provide early warning signs of exploitation. Review and harden the container's security posture, including network segmentation and least privilege access controls, to limit the blast radius in case of a successful attack.