Skip to content

Bubblewrap

Virtualization

A lightweight Linux tool that uses user namespaces to create unprivileged container sandboxes for applications like Flatpak, avoiding the need for root privileges.

Track releases GitHub
C Latest v0.11.2 · 1mo ago Security brief →

Features

  • Creates isolated mount namespaces using tmpfs roots
  • Supports binding host paths (read‑only by default) and symlinking directories inside the sandbox
  • Leverages Linux user, IPC, PID, network, and UTS namespaces for fine‑grained isolation
  • Can be invoked directly or integrated into higher‑level frameworks such as Flatpak

Recent releases

View all 2 releases →
v0.11.2 Breaking risk
Breaking changes
  • Setuid bubblewrap support deprecated; later versions will remove it
Security fixes
  • CVE-2026-41163: Setuid bubblewrap ptrace vulnerability allowing privilege escalation
Full changelog

This is a security update for CVE-2026-41163, which affects any system using bubblewrap 0.11.x using a setuid bubblewrap. Anyone using this should update to this release (or stop using setuid mode).

This release deprecates the support for setuid bubblewrap, and later versions of bubblewrap will no longer support it.

Bug fixes:

  • In setuid mode, don't run the low-privileged parts parts of the setup
    as dumpable, as that allows it to be ptraced which can lead to problems.
    This is CVE-2026-41163, and was reported by François Diakhate.

Enhancements:

  • New build option -Dsupport_setuid, which if set to false (which
    is the default) disables the support for setuid. Binaries built
    with this will refuse to run if made setuid. We recommend building
    normal bubblewrap binaries like this, which allows you to safely
    ignore any security issues that only affect setuid mode.
View release on GitHub
v0.11.1 Bug fix

Fixed SIGCHLD signal handling restoration for compatibility with Erlang and volumeicon, corrected namespace argument processing, improved CI for user namespaces, and fixed documentation links.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
7,399
Forks
337
Languages
C Shell Python
View on GitHub

Install & Platforms

Install via
binary
Platforms
linux

Similar tools

microsandbox
sandbox
OpenSandbox
Spack
dockerizalo

Beta — feedback welcome: [email protected]