diff --git a/bin/nixbox b/bin/nixbox
index 24f1c9c..6830a7b 100755
--- a/bin/nixbox
+++ b/bin/nixbox
@@ -310,8 +310,8 @@ NFTEOF
             ;;
     esac
 
-    # Raise FD limit before launching virtiofsd and cloud-hypervisor
-    ulimit -n 65536
+    # Raise FD limit before launching virtiofsd and cloud-hypervisor (#18).
+    raise_nofile 524288
 
     # --- Start virtiofsd for nix-store share (required by microvm config) ---
     log "==> Starting virtiofsd for nix-store..."
@@ -542,7 +542,7 @@ do_mount() {
     done
 
     local virtiofs_sock="$run_dir/virtiofs-${mount_idx}.sock"
-    ulimit -n 65536
+    raise_nofile 524288
     virtiofsd \
         --socket-path="$virtiofs_sock" \
         --shared-dir="$MOUNT_SOURCE" \
diff --git a/lib/functions.bash b/lib/functions.bash
index 4d45a5b..a3f845b 100644
--- a/lib/functions.bash
+++ b/lib/functions.bash
@@ -11,6 +11,40 @@ die() { printf '\r%s\n' "ERROR: $*" >&2; exit 1; }
 log() { printf '\r%s\n' "$*"; }
 log_sub() { printf '\r    %s\n' "$*"; }
 
+# ---------------------------------------------------------------------------
+# Process limits
+# ---------------------------------------------------------------------------
+
+# Raise the current shell's NOFILE soft limit to $1 (default 524288) without
+# lowering an already-higher hard limit. virtiofsd with --cache=auto
+# accumulates backing-file FDs and pins hot-cache shares at the ceiling (#18).
+# If the session's hard limit is below target (e.g. locked-down CI runners),
+# sudo prlimit raises this shell process's NOFILE hard+soft limits so bash's
+# ulimit can then succeed. Children inherit both.
+raise_nofile() {
+    local target="${1:-524288}"
+    local current_soft current_hard
+
+    current_soft=$(ulimit -Sn) || die "Failed to read NOFILE soft limit"
+    current_hard=$(ulimit -Hn) || die "Failed to read NOFILE hard limit"
+
+    if [ "$current_soft" = "unlimited" ] || [ "$current_soft" -ge "$target" ]; then
+        return 0
+    fi
+
+    if [ "$current_hard" = "unlimited" ] || [ "$current_hard" -ge "$target" ]; then
+        ulimit -Sn "$target" \
+            || die "Failed to raise NOFILE soft limit to $target"
+        return 0
+    fi
+
+    log "==> Raising NOFILE hard limit to $target (requires sudo)..."
+    sudo prlimit --pid "$BASHPID" --nofile="$target:$target" \
+        || die "Failed to raise NOFILE hard limit to $target"
+    ulimit -Sn "$target" \
+        || die "Failed to raise NOFILE soft limit to $target after raising hard limit"
+}
+
 # ---------------------------------------------------------------------------
 # Network derivation (pure — depends only on slot + name)
 # ---------------------------------------------------------------------------
diff --git a/tests/run-e2e-tests.sh b/tests/run-e2e-tests.sh
index bd77147..6bb1d35 100755
--- a/tests/run-e2e-tests.sh
+++ b/tests/run-e2e-tests.sh
@@ -55,10 +55,10 @@ for pidfile in .nixbox/state/virtiofsd_*_pid; do
     pid=$(cat "$pidfile")
     tag=$(basename "$pidfile" | sed 's/virtiofsd_//;s/_pid//')
     max_fds=$(awk '/^Max open files/{print $4}' "/proc/$pid/limits")
-    if [ "$max_fds" -ge 65536 ]; then
+    if [ "$max_fds" -ge 524288 ]; then
         echo "  ok: virtiofsd ($tag) has $max_fds max FDs"
     else
-        echo "  FAIL: virtiofsd ($tag) has $max_fds max FDs, expected >= 65536"
+        echo "  FAIL: virtiofsd ($tag) has $max_fds max FDs, expected >= 524288"
         exit 1
     fi
 done