CVE-2024-42472
📋 TL;DR
This vulnerability in Flatpak allows malicious or compromised applications using persistent directories to escape sandbox restrictions and access/write files outside their intended scope. It affects Linux systems running vulnerable Flatpak versions when applications use the 'persistent' permission. The attack compromises both integrity and confidentiality of user data.
💻 Affected Systems
- Flatpak
📦 What is this software?
Flatpak by Flatpak
Flatpak by Flatpak
⚠️ Risk & Real-World Impact
Worst Case
Complete sandbox escape allowing malicious app to read/write arbitrary files in user's home directory, potentially leading to credential theft, data exfiltration, or system compromise.
Likely Case
Targeted data theft or modification by compromised applications, particularly affecting user documents, configuration files, and sensitive data in home directories.
If Mitigated
Limited impact with proper patching and updated bubblewrap, though race condition exploitation remains possible without complete fix.
🎯 Exploit Status
Exploitation requires malicious or compromised Flatpak application with persistent directory access. Race condition exploitation requires parallel malicious app instances.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Flatpak 1.14.10 or 1.15.10
Vendor Advisory: https://github.com/flatpak/flatpak/security/advisories
Restart Required: Yes
Instructions:
1. Update Flatpak to 1.14.10 (stable) or 1.15.10 (development). 2. Update bubblewrap to 0.6.3 (for 1.14.x) or 0.10.0 (for 1.15.x). 3. Restart affected applications. 4. For distributions using system bubblewrap, ensure both packages are updated.
🔧 Temporary Workarounds
Disable persistent permissions
linuxAvoid using applications with 'persistent' or '--persist' permission until patched
flatpak override --nofilesystem=home $APPID
flatpak override --persist= $APPID
🧯 If You Can't Patch
- Remove or disable Flatpak applications using persistent permissions
- Implement strict application vetting and only install trusted Flatpak applications
🔍 How to Verify
Check if Vulnerable:
Check Flatpak version: flatpak --version. If version is below 1.14.10 or 1.15.10, system is vulnerable when using applications with persistent permissions.Check Version:
flatpak --version && bwrap --version 2>/dev/null || /usr/libexec/flatpak-bwrap --version 2>/dev/nullVerify Fix Applied:
Verify Flatpak version is 1.14.10+ or 1.15.10+. Check bubblewrap version: bwrap --version should be 0.6.3+ (for 1.14.x) or 0.10.0+ (for 1.15.x).📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Flatpak applications
- Symlink creation/modification in ~/.var/app directories
Network Indicators:
- Unexpected outbound connections from Flatpak applications
SIEM Query:
process.name:flatpak AND file.path:/home/* AND file.action:write🔗 References
- https://github.com/containers/bubblewrap/commit/68e75c3091c87583c28a439b45c45627a94d622c
- https://github.com/containers/bubblewrap/commit/a253257cd298892da43e15201d83f9a02c9b58b5
- https://github.com/flatpak/flatpak/commit/2cdd1e1e5ae90d7c3a4b60ce2e36e4d609e44e72
- https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a
- https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75
- https://github.com/flatpak/flatpak/commit/7c63e53bb2af0aae9097fd2edfd6a9ba9d453e97
- https://github.com/flatpak/flatpak/commit/8a18137d7e80f0575e8defabf677d81e5cc3a788
- https://github.com/flatpak/flatpak/commit/db3a785241fda63bf53f0ec12bb519aa5210de19
- https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
- http://www.openwall.com/lists/oss-security/2024/08/14/6
- https://lists.debian.org/debian-lts-announce/2025/03/msg00025.html
