Skip to content

Bubblewrap

v0.11.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Virtualization
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

linux-containers user-namespaces

Summary

AI summary

Security fix CVE-2026-41163 for setuid mode; setuid support deprecated.

Full changelog

This is a security update for CVE-2026-41163, which affects any system using bubblewrap 0.11.x using a setuid bubblewrap. Anyone using this should update to this release (or stop using setuid mode).

This release deprecates the support for setuid bubblewrap, and later versions of bubblewrap will no longer support it.

Bug fixes:

  • In setuid mode, don't run the low-privileged parts parts of the setup
    as dumpable, as that allows it to be ptraced which can lead to problems.
    This is CVE-2026-41163, and was reported by François Diakhate.

Enhancements:

  • New build option -Dsupport_setuid, which if set to false (which
    is the default) disables the support for setuid. Binaries built
    with this will refuse to run if made setuid. We recommend building
    normal bubblewrap binaries like this, which allows you to safely
    ignore any security issues that only affect setuid mode.

Breaking Changes

  • Setuid bubblewrap support deprecated; later versions will remove it

Security Fixes

  • CVE-2026-41163: Setuid bubblewrap ptrace vulnerability allowing privilege escalation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Bubblewrap

Get notified when new releases ship.

Sign up free

About Bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects

All releases →

Related context

Beta — feedback welcome: [email protected]