Flatpak Vulnerability Allows Sandbox Escape
CVE-2024-32462
Key Information:
Badges
What is CVE-2024-32462?
The vulnerability CVE-2024-32462 in the Flatpak software system for Linux allows a malicious or compromised Flatpak app to execute arbitrary code outside its sandbox in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8. The vulnerability can be exploited by passing bwrap arguments to the --command= argument of flatpak run and has been mitigated in xdg-desktop-portal version 1.18.4. This could have a significant impact on the security of Linux systems, particularly regarding sandboxed applications. At this time, there are no known exploits of this vulnerability by ransomware groups.
Affected Version(s)
flatpak < 1.10.9 < 1.10.9
flatpak >= 1.12.0, < 1.12.9 < 1.12.0, 1.12.9
flatpak >= 1.14.0, < 1.14.6 < 1.14.0, 1.14.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Linux SecurityCVE-2024-32462Fedora 39: flatpak 2024-c8d21fe399 Security Advisory Updates | LinuxSecurity.com
Fedora Update Notification FEDORA-2024-c8d21fe399 2024-04-25 01:19:12.575114 Name: flatpak Product:
CorpIT - Handmade By Talented Professionals
Learn server, network and storage technologies. I regularly upload training video tutorials featuring vendors such as NetApp, Cisco and VMware.
LinuxiacCVE-2024-32462Flatpak Patch Addresses Major Sandbox Escape Flaw
Critical CVE-2024-32462 exposed in Flatpak, allowing unauthorized code execution. Update urgently to fixed versions 1.14.6 and above.