CVE-2026-49237 affects Canonical Multipass for macOS versions before 1.16.3 due to an incomplete fix for CVE-2025-5199. The vulnerability allows local privilege escalation through user-writable auxiliary binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/. While the main multipassd daemon binary was fixed to use root:wheel ownership, these five co-located binaries retain user ownership and remain writable. The root LaunchDaemon prioritizes this user-writable directory in PATH and calls these binaries by name, allowing attackers to replace them with malicious wrappers. When the root daemon triggers these binaries during normal operations, the malicious code executes with root privileges.