Skip to content

[AVE] New class: code-execution-sandbox-escape (runtime layer) #36

Description

@chaksaray

Before you open this issue

  • I have searched the registry at ave.bawbel.io and the records/ directory
  • This is a genuinely distinct behavioral class, not a variant of an existing record
  • I have a citable primary source (CVE, paper, disclosure, or working PoC)

Behavioral fingerprint

A code-execution tool/sandbox intended to confine agent-generated or agent-invoked code fails to enforce its isolation boundary — a crafted payload (e.g. via JavaScript prototype-chain traversal) breaks out of the intended sandbox to achieve code execution with host-level (including root) privileges, regardless of whether the code that triggered it was itself malicious or a legitimately-authorized snippet.

Why this is a new class, not a variant

Checked against AVE-2026-00042 (Prompt Injection - REPL Code Mode Payload Injection): that record is about how malicious code gets into the agent's generated code — data breaking out of a string/data context into code context via poisoned tool results.

This candidate is about what happens after code is already executing inside an intended sandbox: a flaw in the sandbox's own containment, exploitable even by code the agent was authorized to run. Different point in the kill chain (content-to-code injection vs. code-to-host escape), different defense (input/context separation vs. isolation hardening — microVM/gVisor-class boundaries vs. shared-kernel containers). Folding this into 00042 would lose the distinction that this vulnerability exists independent of how the code arrived — it's a property of the execution tool itself, not of any injection technique.

Primary source

NVD CVE-2026-5752 — Cohere Terrarium v1.0.1, sandbox escape via JavaScript prototype-chain traversal, CVSS 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Reported by CERT/CC 2026-04-14, last modified 2026-06-17. Verified directly against NVD.

Note: an earlier, weaker candidate for this class (an "AI escaped its sandbox" anecdote) was researched and dropped during the benchmark pass — its only source was a low-credibility content-mill site with no primary disclosure behind it, which does not meet this project's sourcing bar. This issue relies solely on the independently NVD-confirmed, CERT/CC-reported CVE-2026-5752.

Proposed record skeleton

attack_class:        Execution Hijack - Code Execution Sandbox Escape  (naming open to discussion —
                      matches the "Execution Hijack" category already used by AVE-2026-00046 Tool
                      Hook Interception, since both describe a component breaking an intended
                      execution/trust boundary)
severity:             CRITICAL (est., CVE-2026-5752 CVSS 9.3)
owasp_mcp:            [MCP05, MCP07]   (MCP05 = Command Injection and Execution, terminal effect is
                      arbitrary host execution; MCP07 = Insufficient Authentication and
                      Authorization, secondary, since the sandbox boundary is itself a
                      trust/authorization boundary being broken)
owasp_asi:            (none proposed — TBD during implementation)
mitre_atlas:          none — classic sandbox-isolation flaw, outside ATLAS's ML-adversarial-
                      technique scope
detection_layer:      runtime   (the escape only manifests during actual code execution in the
                      sandbox; not detectable by static scan of skill/prompt content, since the
                      exploit lives in the execution tool's own isolation implementation)
detection_stage:      runtime_observed
evidence_basis_engines: [sandbox, llm]

Real-world evidence

CVE-2026-5752, CVSS 9.3, CERT/CC-reported, NVD-confirmed. Pushes THM toward 1.0 in AIVSS scoring.

Indicators of compromise

  • Executed code contains prototype-chain manipulation patterns (e.g. __proto__, constructor.constructor) targeting the host JavaScript/Python runtime rather than objects within the sandboxed execution context
  • Sandbox/code-execution process observed accessing host-level resources (filesystem paths, network interfaces, process list, environment variables) outside its declared execution boundary
  • Code-execution tool process running with root or unrestricted host privileges rather than a scoped service account or dedicated microVM/container identity

Researcher

Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)

Metadata

Metadata

Assignees

No one assigned

    Labels

    ave-recordAdding or modifying an AVE recordnew-classGenuinely new behavioral class, not a variantresearch-sourcedTraced to a citable primary source via research-new-attack-classes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions