CVE-2026-41163

bubblewrap vulnerable to privilege escalation in setuid mode via ptrace

Assigner: GitHub_M
Reserved: 17.04.2026 Published: 09.05.2026 Updated: 09.05.2026

bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the "overlay mount" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	containers
Product	bubblewrap
Versions	Version >= 0.11.0, < 0.11.2 is affected

Vendor

containers

Product

bubblewrap

Versions

Version >= 0.11.0, < 0.11.2 is affected

References

Problem Types

CWE-269: Improper Privilege Management CWE

CVE-2026-41163 PUBLISHED

bubblewrap vulnerable to privilege escalation in setuid mode via ptrace

Metrics

Product Status

References

Problem Types