Arbitrary Command Execution Vulnerability in Lima for Linux Virtual Machines on macOS
CVE-2026-53657

8.2HIGH

Key Information:

Vendor

Lima-vm

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-53657?

An arbitrary command execution vulnerability exists in Lima when an instance is running with the qemu driver. If the guest agent is enabled, unauthorized users within the virtual machine can access the /run/lima-guestagent.sock socket. This access allows them to execute commands with root privileges, potentially compromising sensitive system components. The vulnerability has been addressed in Lima version 2.1.3, which includes important security fixes to mitigate these risks.

Affected Version(s)

lima < 2.1.3

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.