CVE-2026-5674 PUBLISHED

Pipewire: pipewire: sandbox escape and arbitrary code execution via malicious library loading

Assigner: redhat
Reserved: 06.04.2026 Published: 16.07.2026 Updated: 16.07.2026

A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library, leading to arbitrary code execution outside the sandbox and potential compromise of the user's system.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: unaffected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected

Workarounds

To mitigate this issue, restrict containerized applications from accessing the PulseAudio socket or writing to host-visible paths. Additionally, configure PipeWire to prevent module loading by setting pulse.allow-module-loading = false in the PipeWire PulseAudio configuration. Alternatively, restrict the dlopen() paths for module-ladspa-sink to trusted system directories like /usr/lib/ladspa/ and /usr/lib64/ladspa/. Applying these changes may require restarting the PipeWire service to take effect, which could impact audio functionality.

Credits

  • Red Hat would like to thank Johann Rehberger (embracethered.com) for reporting this issue.

References

Problem Types

  • Uncontrolled Search Path Element CWE