Claude Desktop Cowork VM Image Integrity Bypass / Local Persistence (CVE-2026-7574)
by Ashraf Zaryouh / 0xBlackash (Recon 2026) · 2026-06-30
- Severity
- High
- CVE
- CVE-2026-7574
- Category
- binary
- Affected product
- Anthropic Claude Desktop — Cowork feature
- Affected versions
- v1.1348.0 through v1.2278.0 (macOS)
- Disclosed
- 2026-06-30
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | Ashraf Zaryouh / 0xBlackash (Recon 2026) |
| CVE / Advisory | CVE-2026-7574 |
| Category | binary |
| Severity | High |
| CVSS Score | 8.7 (CVSSv3.1; AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) |
| Status | PoC |
| Tags | LPE, persistence, VM-integrity, rootfs, Claude, AI-application, macOS, ext4, integrity-bypass, Shell |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Anthropic Claude Desktop — Cowork feature |
| Versions Affected | v1.1348.0 through v1.2278.0 (macOS) |
| Language / Platform | Bash (PoC); macOS (target) |
| Authentication Required | Yes (local unprivileged macOS user) |
| Network Access Required | No (local only) |
Summary
CVE-2026-7574 is a VM image integrity bypass in Anthropic’s Claude Desktop Cowork feature (macOS). Before booting the Cowork virtual machine, the application validates only the presence of rootfs.img and its associated version marker (.rootfs.img.origin); it performs no cryptographic hash or signature verification on the image contents. A local attacker with standard macOS user privileges can extract the ext4 VM filesystem, inject arbitrary payloads (cron scripts, startup modifications, persistence mechanisms), repack the image, and place it back. On every subsequent Cowork launch the tampered image boots and executes attacker code inside the VM — including in host-mounted directories. The persistence survives application restarts and updates. Presented at Recon 2026.
Vulnerability Details
Root Cause
Claude Desktop Cowork stores its VM disk image at:
~/Library/Application Support/Claude/vm_bundles/claudevm.bundle/rootfs.img
Before launching the VM, the application checks:
- That
rootfs.imgexists. - That
.rootfs.img.originversion marker is present.
No SHA-256 or other cryptographic hash is computed against the image contents. No code signature is verified. Any file that passes the existence check is trusted and booted.
CWE-353 (Missing Support for Integrity Check).
Attack Steps
- Locate
rootfs.imgat~/Library/Application Support/Claude/vm_bundles/claudevm.bundle/rootfs.img. - Extract the ext4 partition:
1dd if=rootfs.img of=partition.img bs=512 skip=206848 count=20764639 - Mount the ext4 partition to a temporary directory:
1sudo mount -o loop partition.img /mnt/vm - Inject malicious payload (e.g., cron job, startup script, backdoor binary).
- Unmount and write modified partition back into
rootfs.img. - Restart Claude Desktop Cowork — tampered image boots.
Impact
- Arbitrary code execution inside the Cowork VM on every launch.
- Access to host-mounted directories shared with the VM (files, credentials, project data).
- Persistence survives application restarts and Claude Desktop updates.
- Invisible to standard file-integrity tools monitoring the application bundle.
- Scope is Changed (
S:C): VM compromise extends to host-mounted paths.
Environment / Lab Setup
OS: macOS (any version running affected Claude Desktop Cowork)
Tools: dd, mount, standard shell utilities
Privs: Local unprivileged macOS user account
Proof of Concept
Run
| |
The PoC:
- Extracts the ext4 partition from
rootfs.img. - Mounts it and writes
/etc/0xblackash-poc.txtand a cron-based persistence entry (/etc/cron.d/blackash-poc). - Repacks the image.
- On next Cowork launch,
/etc/0xblackash-poc.txtwill contain a timestamped proof marker.
Verification
| |
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade Claude Desktop to v1.2279.0 or later (versions above v1.2278.0 unaffected) |
| Verify | After patching, validate that Anthropic implemented SHA-256 or codesigning on rootfs.img at launch time |
| Interim | Restrict file-system write access to ~/Library/Application Support/Claude/vm_bundles/ via macOS permissions |
References
| |