cbcvebase.
CVE-2024-42472
published 2024-08-15

CVE-2024-42472: Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using…

PriorityP265critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
1.28%
66.5th percentile
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianflatpak< flatpak 1.14.10-1~deb12u1 (bookworm)flatpak 1.14.10-1~deb12u1 (bookworm)
flatpakflatpak< 1.14.101.14.10
flatpakflatpak
flatpakflatpak>= 0 < 1.10.8-0+deb11u31.10.8-0+deb11u3
flatpakflatpak>= 0 < 1.14.10-1~deb12u11.14.10-1~deb12u1
flatpakflatpak>= 0 < 1.14.10-11.14.10-1
flatpakflatpak>= 0 < 1.14.10-11.14.10-1
flatpakflatpak>= 1.14.0 < 1.14.101.14.10
flatpakflatpak>= 1.15.0 < 1.15.101.15.10

Detection & IOCsextracted from sources · hover to see the quote

path~/.var/app/$APPID/subdir
path~/.var/app/$APPID
path/usr/bin/bwrap
path/usr/libexec/flatpak-bwrap
command--persist=subdir
  • Monitor for symlink creation inside ~/.var/app/$APPID/ directories, particularly where a persistent subdirectory is replaced by a symlink pointing outside the sandbox. This is the core exploitation primitive.
  • Detect concurrent execution of multiple instances of the same Flatpak application, which may indicate exploitation of the race condition variant of this vulnerability.
  • Audit Flatpak application manifests or permissions for use of the `persistent` / `--persist` option, as this is the required precondition for exploitation.
  • Monitor bind mount operations initiated by bwrap (/usr/bin/bwrap or /usr/libexec/flatpak-bwrap) that resolve through symlinks to paths outside ~/.var/app/$APPID/, which would indicate sandbox escape.
  • Check installed Flatpak version; versions prior to 1.14.10 (1.14.x branch) or 1.15.10 (1.15.x branch) are vulnerable. Flag systems running 1.12.x or 1.10.x as unpatched.
  • ·If Flatpak is built with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x), the system-installed /usr/bin/bwrap must be patched separately; patching only Flatpak is insufficient.
  • ·Applying only the Flatpak patches (commits ceec2ffc and 98f79773) provides only partial protection; the race condition remains exploitable without also patching bubblewrap to add --bind-fd.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.