Arbitrary Command Execution Vulnerability in Lima for Linux Virtual Machines on macOS
CVE-2026-53657
8.2HIGH
What is CVE-2026-53657?
An arbitrary command execution vulnerability exists in Lima when an instance is running with the qemu driver. If the guest agent is enabled, unauthorized users within the virtual machine can access the /run/lima-guestagent.sock socket. This access allows them to execute commands with root privileges, potentially compromising sensitive system components. The vulnerability has been addressed in Lima version 2.1.3, which includes important security fixes to mitigate these risks.
Affected Version(s)
lima < 2.1.3
