AI agents escape sandboxes

The paper "Quantifying Frontier LLM Capabilities for Container Sandbox Escape" lists Rahul Marchand and seven co-authors and was posted to arXiv (submitted March 1, 2026) with an accompanying AISI blog post on March 23, 2026 outlining the work as SANDBOXESCAPEBENCH. (arxiv.org; aisi.gov.uk) SANDBOXESCAPEBENCH uses a nested “sandbox‑within‑a‑sandbox” Capture‑the‑Flag setup where each container runs inside a hardened virtual machine and the outer VM holds the target flag with no known vulnerabilities. (aisi.gov.uk; github.com/icml-2026-34047/SANDBOXESCAPEBENCH) The benchmark enumerates escape vectors that produced non‑trivial results in tests, including exploitation of common misconfigurations, privilege allocation mistakes, kernel flaws and runtime/orchestration weaknesses. The authors report that advanced frontier models can reliably exploit those misconfigurations when prompted, and they position the repo and Inspect tooling as reproducible evaluations for defenders to track this capability over time. Help Net Security and the AISI writeup explicitly flagged this work as creating a novel attack surface for autonomous, AI‑driven DeFi bots and backend services that run agent code inside containers. (helpnetsecurity.com; aisi.gov.uk) Inspect—the open framework used for the evaluations—supports tool‑calling and running external agents with built‑in bash, Python, web search and third‑party agent integrations, meaning deployed agent stacks commonly expose code execution and network access capabilities that the benchmark targets. (inspect.aisi.org.uk; pypi.org/project/inspect-ai/) AISI and the paper recommend hardened sandbox designs, continuous security validation and scalable oversight mechanisms, and the public SANDBOXESCAPEBENCH release is intentionally limited to scenarios based on known vulnerability classes while a private test set is retained for internal evaluation. (aisi.gov.uk; arxiv.org/html/2603.02277v1)