Sandboxing Vulnerability in bubblewrap by Containers
CVE-2026-41163

8.7HIGH

Key Information:

Vendor: Containers
Status: Bubblewrap
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-41163?

The bubblewrap sandboxing tool, when installed in setuid mode from versions 0.11.0 to below 0.11.2, suffers from a vulnerability that allows local users to exploit ptrace to gain control over the sandbox's unprivileged setup phase. This flaw permits unauthorized access to privileged operations like overlay mounts, which are not typically permitted in the secure setuid environment. Users are strongly advised to upgrade to version 0.11.2, where this issue has been effectively resolved.

Affected Version(s)

bubblewrap >= 0.11.0, < 0.11.2

References

https://github.com/containers/bubblewrap/security/advisor...

x_refsource_CONFIRM

https://github.com/containers/bubblewrap/releases/tag/v0....

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41163 Data

JSON