CVE-2021-42762
5.3 MEDIUMBubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick...
Published: 2021-10-20 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, fedora, webkitgtk |
| fedoraproject | debian_linux, fedora, webkitgtk |
| webkitgtk | debian_linux, fedora, webkitgtk |
| wpewebkit | debian_linux, fedora, webkitgtk |
Description
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-42762
- [Other]http://www.openwall.com/lists/oss-security/2021/10/26/9
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/4
- [Vendor advisory]https://bugs.webkit.org/show_bug.cgi?id=231479
- [Other]https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5J2LZQTDX53DNSKSGU7TQYCO2HKSTY4/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON5SDVVPVPCAGFPW2GHYATZVZYLPW2L4/
- [Other]https://www.debian.org/security/2021/dsa-4995
- [Other]https://www.debian.org/security/2021/dsa-4996
- [Other]http://www.openwall.com/lists/oss-security/2021/10/26/9
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/1
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/2
- [Other]http://www.openwall.com/lists/oss-security/2021/10/27/4
- [Vendor advisory]https://bugs.webkit.org/show_bug.cgi?id=231479
- [Other]https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5J2LZQTDX53DNSKSGU7TQYCO2HKSTY4/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON5SDVVPVPCAGFPW2GHYATZVZYLPW2L4/
- [Other]https://www.debian.org/security/2021/dsa-4995
- [Other]https://www.debian.org/security/2021/dsa-4996
Related CVEs
Same vendor
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-31431 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
- CVE-2026-4775 — A flaw was found in the libtiff library (7.8 HIGH)
- CVE-2026-3497 — Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions (7.5 HIGH)
- CVE-2026-2219 — It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the dat... (7.5 HIGH)