Login Sign Up

CVE-2021-21261

7.3 HIGH

📋 TL;DR

This CVE allows malicious or compromised Flatpak applications to escape their sandbox and execute arbitrary code on the host Linux system. The vulnerability affects Flatpak versions from 0.11.4 up to (but not including) 1.8.5 and 1.10.0. Any Linux system running vulnerable Flatpak versions with sandboxed applications is at risk.

💻 Affected Systems

Products:
  • Flatpak
Versions: 0.11.4 to 1.8.4, and 1.9.x versions before 1.10.0
Operating Systems: Linux distributions with Flatpak support
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Flatpak portal service (flatpak-portal) to be running and sandboxed applications to be present.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Flatpak by Flatpak

View all CVEs affecting Flatpak →

Flatpak by Flatpak

View all CVEs affecting Flatpak →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system compromise allowing attackers to install persistent malware, steal sensitive data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation where a compromised Flatpak app gains full host system access, potentially leading to data theft or further attacks.

🟢

If Mitigated

Limited to sandboxed application compromise without host system access if proper patching or workarounds are implemented.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a malicious or compromised Flatpak application already running in the sandbox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.5 or 1.10.0

Vendor Advisory: https://github.com/flatpak/flatpak/releases/tag/1.8.5

Restart Required: Yes

Instructions:

1. Update Flatpak using your distribution's package manager. 2. Restart the flatpak-portal service. 3. Verify the update with 'flatpak --version'.

🔧 Temporary Workarounds

Disable flatpak-portal service

linux

Prevents the vulnerable service from running but will break many Flatpak applications.

sudo systemctl stop org.freedesktop.portal.Flatpak
sudo systemctl disable org.freedesktop.portal.Flatpak

🧯 If You Can't Patch

  • Remove or disable all Flatpak applications to eliminate attack surface
  • Implement strict application allowlisting and monitor for suspicious Flatpak activity

🔍 How to Verify

Check if Vulnerable:

Check Flatpak version with 'flatpak --version' and compare to affected ranges.

Check Version:

flatpak --version

Verify Fix Applied:

Confirm version is 1.8.5 or higher, or 1.10.0 or higher with 'flatpak --version'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual flatpak-portal service activity
  • Suspicious environment variable manipulation in Flatpak context

Network Indicators:

  • Unexpected outbound connections from Flatpak applications

SIEM Query:

process_name:"flatpak" AND (event_type:"process_execution" OR event_type:"sandbox_escape")

📊 Metadata

CVE ID: CVE-2021-21261
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-74
Published: January 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21261, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)