v0.11.2
Breaking risk
Breaking changes
- Setuid bubblewrap support deprecated; later versions will remove it
Security fixes
- CVE-2026-41163: Setuid bubblewrap ptrace vulnerability allowing privilege escalation
Full changelog
This is a security update for CVE-2026-41163, which affects any system using bubblewrap 0.11.x using a setuid bubblewrap. Anyone using this should update to this release (or stop using setuid mode).
This release deprecates the support for setuid bubblewrap, and later versions of bubblewrap will no longer support it.
Bug fixes:
- In setuid mode, don't run the low-privileged parts parts of the setup
as dumpable, as that allows it to be ptraced which can lead to problems.
This is CVE-2026-41163, and was reported by François Diakhate.
Enhancements:
- New build option
-Dsupport_setuid, which if set to false (which
is the default) disables the support for setuid. Binaries built
with this will refuse to run if made setuid. We recommend building
normal bubblewrap binaries like this, which allows you to safely
ignore any security issues that only affect setuid mode.