CVE-2021-41133 · threatengine.sh

Home/CVE/Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior t

CVE

CVE-2021-41133

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior t

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely.

Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process xdg-dbus-proxy, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses.

Patches exist for versions 1.10.4 and 1.12.0, and as of time of publication, a patch for version 1.8.2 is being planned. There are no workarounds aside from upgrading to a patched version.

HIGH · CVSS 8.8 EPSS 0.00061

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-20Improper Input Validation

▤

Affected Products & Versions

5

flatpak< 1.8.2
flatpak>= 1.10.0 and < 1.10.4
flatpak>= 1.11.1 and < 1.12.1
debian linuxall versions
fedoraproject fedoraall versions

▣

Scoring & Timeline

8.8

HIGH · CVSS v3.1 · security-advisories@github.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD08 Oct 2021 · 02:15 PM

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

no

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

17

rhsaRHSA-2025:10364Important
suse-csafopenSUSE-SU-2024:11574-1
suse-csafSUSE-SU-2022:3439-1
suse-csafSUSE-SU-2022:3284-1
usnUSN-5191-1
Show all 17 vendor advisoriessuse-csafSUSE-SU-2021:3768-1
suse-csafSUSE-SU-2021:3769-1
suse-csafopenSUSE-SU-2021:1454-1
suse-csafopenSUSE-SU-2021:3603-1
suse-csafSUSE-SU-2021:3603-1
suse-csafopenSUSE-SU-2021:1400-1
suse-csafopenSUSE-SU-2021:3472-1
suse-csafSUSE-SU-2021:3472-1
rhsaRHSA-2021:4042Important
rhsaRHSA-2021:4044Important
rhsaRHSA-2021:4106Important
rhsaRHSA-2021:4107Important

🔗

References & Sources

14

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.openwall.com/lists/oss-security/2021/10/26/9Mailing ListThird Party Advisory

https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999PatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/26b12484eb8a6219b9e7aa287b298a894b2f34caPatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/462fca2c666e0cd2b60d6d2593a7216a83047aafPatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/4c34815784e9ffda5733225c7d95824f96375e36PatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/89ae9fe74c6d445bb1b3a40e568d77cf5de47e48PatchThird Party Advisory

Show all 14 references

https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69fPatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330PatchThird Party Advisory

https://github.com/flatpak/flatpak/commit/e26ac7586c392b5eb35ff4609fe232c52523b2cfPatchThird Party Advisory

https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4qPatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5656ONDP2MGKIJMKEC7N2NXCV27WGTC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5DKCYRC6MFSTFCUP4DELCOUUP3SFEFX/

https://security.gentoo.org/glsa/202312-12

https://www.debian.org/security/2021/dsa-4984Third Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin