Skip to main content

bubblewrap CVE-2026-41163

| EUVDEUVD-2026-28884 HIGH
Improper Privilege Management (CWE-269)
2026-04-25
High
Disputed · 8.7 Vendor
Share

Severity by source

Sources disagree (Low–High)
Vendor (CNA) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.1 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 09, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 09, 2026 - 04:22 vuln.today
Analysis Generated
May 09, 2026 - 04:22 vuln.today
CVSS changed
May 09, 2026 - 04:22 NVD
8.7 (HIGH)
CVE Published
Apr 25, 2026 - 12:45 nvd
N/A
CVE Published
Apr 25, 2026 - 12:45 nvd
HIGH 8.7

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Privilege escalation in bubblewrap 0.11.x when installed setuid root allows local attackers to escape sandbox isolation via ptrace attachment during low-privileged setup phases. The vendor confirmed active exploitation risk by releasing emergency v0.11.2 patch and immediately deprecating setuid mode entirely. CVSS 8.7 severity reflects high integrity impact from sandbox breakout, though exploitation requires local access to a setuid-configured bubblewrap binary (non-default in most distributions).

Technical ContextAI

Bubblewrap is a sandboxing tool used by Flatpak and other container runtimes to create unprivileged Linux namespaces for application isolation. CWE-269 (Improper Privilege Management) manifests here through incorrect handling of the Linux dumpable flag during privilege transitions. When bubblewrap runs setuid root, it temporarily drops privileges to execute low-privileged setup code. Before v0.11.2, this code ran with the dumpable flag set, allowing the same-UID process to be attached via ptrace. An attacker could inject malicious code during these privilege transitions, manipulating namespace setup or file descriptor operations to escape the intended sandbox. The vulnerability arises from the interaction between Linux capability dropping, process dumpability semantics (prctl PR_SET_DUMPABLE), and ptrace permissions. Normal user-namespace-based bubblewrap deployments are unaffected since they never elevate privileges via setuid.

RemediationAI

Immediate action for systems running bubblewrap 0.11.0 or 0.11.1 with setuid bit: upgrade to bubblewrap v0.11.2 from https://github.com/containers/bubblewrap/releases/tag/v0.11.2, which sets the non-dumpable flag during privilege transitions to prevent ptrace attachment (security advisory at https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp). Long-term mitigation per vendor recommendation: transition away from setuid mode entirely by recompiling bubblewrap with -Dsupport_setuid=false (now the default build option), which refuses execution if setuid bit is set and eliminates this entire attack surface. For environments unable to immediately patch, temporary workaround is to remove setuid bit via 'chmod u-s /usr/bin/bwrap' - note this breaks functionality for users without CAP_SYS_ADMIN or unprivileged user namespace support, potentially preventing Flatpak applications from launching on older kernels. Verify kernel supports unprivileged user namespaces (kernel.unprivileged_userns_clone=1 on Debian/Ubuntu derivatives) before removing setuid as alternative privilege model. No performance or compatibility penalty for user-namespace mode on kernel 3.8+ systems.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

CVE-2026-41163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy