Skip to main content

PipeWire CVE-2026-5674

| EUVDEUVD-2026-44925 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-07-16 redhat
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker needs a low-privilege foothold inside the sandbox (AV:L/PR:L), no user interaction, and the escape crosses the sandbox boundary (S:C), yielding full host-session C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 14:16 vuln.today
CVE Published
Jul 16, 2026 - 13:26 cve.org
HIGH 8.8

DescriptionCVE.org

A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library, leading to arbitrary code execution outside the sandbox and potential compromise of the user's system.

AnalysisAI

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain code execution inside Flatpak sandbox
Delivery
Access PipeWire PulseAudio compat socket
Exploit
Point loader at malicious library
Execution
PipeWire loads attacker library on host
Persist
Execute code outside sandbox
Impact
Compromise user session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be executing code with low privileges inside a sandboxed application (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 8.8) fits the real risk profile: exploitation is local and needs only low privileges (a foothold inside the sandbox), requires no user interaction, and the scope change (S:C) captures the escape from the confined app into the host user session with full confidentiality, integrity and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user runs a malicious or compromised Flatpak application that holds ordinary audio permission. From inside its sandbox the app abuses the PulseAudio compatibility layer to make PipeWire load an attacker-supplied library, which then executes on the host outside the sandbox with the user's privileges. …
Remediation No vendor-released patch version is identified in the input at time of analysis; monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-5674 and Bugzilla 2455341 (https://bugzilla.redhat.com/show_bug.cgi?id=2455341) and update the pipewire and pipewire-pulseaudio packages to the fixed build for your RHEL release as soon as it is published, then restart the user session or PipeWire services so the patched code loads. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and isolate all RHEL 7-10 systems with PipeWire and Flatpak running, prioritizing those with network exposure or handling sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Share

CVE-2026-5674 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy