CVE-2025-5199: 
NixOS vulnerability analysis and mitigation

In Canonical Multipass up to and including version 1.15.1 on macOS, a local privilege escalation vulnerability was discovered due to incorrect default permissions. The vulnerability (CVE-2025-5199) was disclosed on July 11, 2025, and allows a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup (GitHub Advisory).

The vulnerability stems from incorrect default permissions where the multipassd binary is owned by a local user instead of root. The issue received a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-276 (Incorrect Default Permissions) and affects the LaunchDaemon configuration at /Library/LaunchDaemons/com.canonical.multipassd.plist (GitHub Advisory, Ubuntu Security).

The vulnerability allows a local attacker to execute arbitrary commands with root privileges during system startup. This can lead to complete system compromise, including high impacts on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in version 1.16.0 of Multipass. For users unable to update, a temporary workaround is available by manually setting the correct ownership of the multipassd binary using the command: 'sudo chown root:wheel /Library/Application Support/com.canonical.multipass/bin/multipassd' (GitHub Advisory, GitHub PR).