{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41163", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-05-09T03:56:51.833Z", "dateUpdated": "2026-06-30T12:08:50.316Z"}, "containers": {"cna": {"title": "bubblewrap vulnerable to privilege escalation in setuid mode via ptrace", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp"}, {"name": "https://github.com/containers/bubblewrap/releases/tag/v0.11.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/containers/bubblewrap/releases/tag/v0.11.2"}], "affected": [{"vendor": "containers", "product": "bubblewrap", "versions": [{"version": ">= 0.11.0, < 0.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-09T03:56:51.833Z"}, "descriptions": [{"lang": "en", "value": "bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the \"overlay mount\" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2."}], "source": {"advisory": "GHSA-xq78-7hw4-5jvp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-13T17:25:25.718429Z", "id": "CVE-2026-41163", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T17:45:50.957Z"}}, {"affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "defaultStatus": "unaffected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat"}], "datePublic": "2026-05-09T03:56:51.833Z", "descriptions": [{"lang": "en", "value": "A flaw was found in bubblewrap when operating in setuid mode. A local user may use ptrace to interfere with the sandbox setup process and gain access to privileged operations that are normally restricted. This could allow an attacker to bypass intended sandboxing restrictions and potentially elevate privileges on the system."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-41163"}, {"name": "RHBZ#2468439", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468439"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41163.json"}], "timeline": [{"lang": "en", "time": "2026-05-09T05:01:05.292Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-09T03:56:51.833Z", "value": "Made public."}], "title": "bubblewrap: bubblewrap: Privilege escalation via ptrace when installed in setuid mode", "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:08:50.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-13T17:25:25.718429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T17:45:46.507Z"}}], "cna": {"title": "bubblewrap vulnerable to privilege escalation in setuid mode via ptrace", "source": {"advisory": "GHSA-xq78-7hw4-5jvp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "containers", "product": "bubblewrap", "versions": [{"status": "affected", "version": ">= 0.11.0, < 0.11.2"}]}], "references": [{"url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp", "name": "https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/containers/bubblewrap/releases/tag/v0.11.2", "name": "https://github.com/containers/bubblewrap/releases/tag/v0.11.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the \"overlay mount\" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-09T03:56:51.833Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41163", "state": "PUBLISHED", "dateUpdated": "2026-05-13T17:45:50.957Z", "dateReserved": "2026-04-17T16:34:45.525Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-09T03:56:51.833Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "bubblewrap", "vendor": "containers", "versions": [{"status": "affected", "version": ">= 0.11.0, < 0.11.2"}]}], "source": "security-advisories@github.com"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the \"overlay mount\" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2."}], "id": "CVE-2026-41163", "lastModified": "2026-06-17T10:46:15.553", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-41163", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-13T17:25:25.718429Z", "version": "2.0.3"}}]}, "published": "2026-05-09T04:16:21.167", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/containers/bubblewrap/releases/tag/v0.11.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "bubblewrap: bubblewrap: Privilege escalation via ptrace when installed in setuid mode", "id": "2468439", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468439"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in bubblewrap when operating in setuid mode. A local user may use ptrace to interfere with the sandbox setup process and gain access to privileged operations that are normally restricted. This could allow an attacker to bypass intended sandboxing restrictions and potentially elevate privileges on the system."], "name": "CVE-2026-41163", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "bubblewrap", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "bubblewrap", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "bubblewrap", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-05-09T03:56:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41163\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41163\nhttps://github.com/containers/bubblewrap/releases/tag/v0.11.2\nhttps://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp"], "statement": "This vulnerability affects bubblewrap's setuid mode. During sandbox initialization, insufficient isolation between privileged and unprivileged processing stages allows a local attacker to manipulate the sandbox setup process using ptrace.\n```\nThe vulnerability relies on support for overlay filesystem mounts. The overlayfs mount support was added in bubblewrap version 0.11.0 and that versions prior to 0.11.0 do not support overlay mounts.\nRed Hat products currently ship bubblewrap versions that predate the introduction of overlay mount support. As a result, the vulnerable functionality is not present and Red Hat products are not affected by this issue.\n```", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.11.0,0.11.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bubblewrap", "source": "cna", "vendor": "containers"}, "product": "bubblewrap", "vendor": "containers"}], "created": "2026-05-09T05:30:16.029872+00:00", "updated": "2026-06-02T14:00:10.577036+00:00", "vendors": ["containers", "containers$PRODUCT$bubblewrap"]}