{"id":"CVE-2021-21261","details":"Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.10.0.","modified":"2026-04-16T04:30:26.109113398Z","published":"2021-01-14T20:15:12.360Z","related":["GHSA-4ppf-fxf6-vxg2","SUSE-SU-2021:1094-1","SUSE-SU-2022:2990-1","SUSE-SU-2022:3284-1","openSUSE-SU-2021:0520-1","openSUSE-SU-2024:10762-1"],"references":[{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/releases/tag/1.8.5"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-21"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4830"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"b5571fa0397d1ce0f1aaf9cf6bfe2e60cb90895d"},{"fixed":"58dc0ea96c1648cdec341d7d74c260c3d62eb2bc"},{"introduced":"d395763327116b3b04a8d6d4c33a24074700d2de"},{"fixed":"649ad5fe49945b834da0d616a24400c41666048c"},{"fixed":"6d1773d2a54dde9b099043f07a2094a4f1c2f486"},{"fixed":"6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b"},{"fixed":"aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4"},{"fixed":"cc1401043c075268ecc652eac557ef8076b5eaba"}],"database_specific":{"versions":[{"introduced":"0.11.4"},{"fixed":"1.8.5"},{"introduced":"1.9.1"},{"fixed":"1.10.0"}]}}],"versions":["0.11.4","0.11.5","0.11.6","0.11.7","0.11.8","0.11.8.1","0.11.8.2","0.11.8.3","0.99.1","0.99.2","0.99.3","1.0.0","1.0.1","1.0.2","1.0.3","1.1.0","1.1.1","1.1.2","1.1.3","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.1","1.7.2","1.7.3","1.8.0","1.8.2","1.8.3","1.8.4","1.9.1","1.9.2","1.9.3"],"database_specific":{"vanir_signatures":[{"target":{"file":"common/flatpak-bwrap.c"},"source":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486","id":"CVE-2021-21261-0548202b","digest":{"line_hashes":["187884336905612395231330406807632357540","119966363514582499525315861909166376099","46012603303833455347858473125643287427","151763468982046354621867926977057407996","147841209049247011411836960548228474009","210586123448264467490491665920891689504"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","deprecated":false},{"target":{"file":"common/flatpak-run.c"},"source":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486","id":"CVE-2021-21261-2cb9cfb5","signature_type":"Line","digest":{"line_hashes":["168417353790797368165839907690445508493","327012681670393743305787150072641325411","23688458601150324176395771316217294730","49729934599472863566897555018543408450","9450908212238931453333786533088716078","184028996534785543118806081166217184330","141419741360300883951586041005272492896","206249337290032327518896842942263903489","90318883290108511492839356082770308365","12932935097118578644062154051992084777","144774528113192030728296602362033592877","79201547501775564610540632545667244027","268846712764991704531477048056715863846","278171116430610011995476595605264549622","198046183515048329716552688201140766062","186874874185981287271469462079034122186","256515148011437925207635412414066159130","3346186902999804577361326057752316291","254409286826292135473128319948286163718","141533511151258764870094348930568640143","259454807294067507133633282981503554384","191389743288879362348653886153241129053","194637151052508142939035967020326419871","205972780634195676094809405714121723252","23392054317266148780655332786943982622","34547951232220976726414035075532117100"],"threshold":0.9},"signature_version":"v1","deprecated":false},{"target":{"function":"child_setup_func","file":"portal/flatpak-portal.c"},"source":"https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4","id":"CVE-2021-21261-33525b89","signature_type":"Function","digest":{"length":1224,"function_hash":"116696172303620550801466906987719068366"},"signature_version":"v1","deprecated":false},{"id":"CVE-2021-21261-4a832f75","source":"https://github.com/flatpak/flatpak/commit/6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b","target":{"file":"common/flatpak-context.c"},"signature_type":"Line","digest":{"line_hashes":["181467856496703161714286787676753514560","262003444876501901294604323868568402193","150489235987664807730600990675707141516","308914679741222343840220446431887347020","22914194553643468080754179086792170796","294736744238137854585260502181037366798","257931896619599938072240305823517035948"],"threshold":0.9},"signature_version":"v1","deprecated":false},{"target":{"function":"flatpak_run_add_environment_args","file":"common/flatpak-run.c"},"source":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486","id":"CVE-2021-21261-89757ad9","signature_type":"Function","digest":{"length":4242,"function_hash":"33047310530798657115268533786732258227"},"signature_version":"v1","deprecated":false},{"id":"CVE-2021-21261-90336293","source":"https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba","target":{"file":"portal/flatpak-portal.c"},"digest":{"line_hashes":["271845509910812711137384046118951455179","102416855131910788437706480729441538709","51213083205691676287204730805029338261","88873101976548655118981504411646758366","276629679408525911711405358044738720536","295864476410362513706402887219810128860","187672123155510881918023627336945040586"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","deprecated":false},{"target":{"function":"handle_spawn","file":"portal/flatpak-portal.c"},"source":"https://github.com/flatpak/flatpak/commit/cc1401043c075268ecc652eac557ef8076b5eaba","id":"CVE-2021-21261-c441fdeb","signature_type":"Function","digest":{"length":15275,"function_hash":"13648073397090505178352368602612080075"},"signature_version":"v1","deprecated":false},{"id":"CVE-2021-21261-cc0442da","source":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486","target":{"function":"flatpak_run_app","file":"common/flatpak-run.c"},"digest":{"length":10642,"function_hash":"121856444566269508847150148348225191560"},"signature_type":"Function","signature_version":"v1","deprecated":false},{"target":{"file":"common/flatpak-bwrap-private.h"},"source":"https://github.com/flatpak/flatpak/commit/6d1773d2a54dde9b099043f07a2094a4f1c2f486","id":"CVE-2021-21261-e4aba771","signature_type":"Line","digest":{"line_hashes":["186753914006100194516954110745550884424","12753299659279139043630104728458776064","269889525867134572535695503617087983501","208208283627142296061927458336690996509","180501221704741290327491119284995032025","176111972974236863265595961229486818247","96681180801602239017311502751839799173","198705453584377096480089798889685337457"],"threshold":0.9},"signature_version":"v1","deprecated":false},{"target":{"file":"portal/flatpak-portal.c"},"source":"https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4","id":"CVE-2021-21261-f081ded5","digest":{"line_hashes":["250583380488175601669317137946174719794","311312556761816106744451561827799888308","296511374797103482356447941591751752716","163819300700743363828332066461507542872","256646176672544301483717845513293989867","283066343764066525662795773450547192544","307830766081670044218645905522083376346","314613757453546637160749133659371754136","33477874074197511545467797114432888206","217867266162192291486524756726822760936","40016216926295346927460055704050908419","202058260553356883764319272044505786272","232829783943157726400537389676411531144","142269808049044781331577504304469511031","228461531246778135043747909129711248394","158813393187993092148429072759724546882"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","deprecated":false},{"target":{"function":"handle_spawn","file":"portal/flatpak-portal.c"},"source":"https://github.com/flatpak/flatpak/commit/aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4","id":"CVE-2021-21261-f0f82716","signature_type":"Function","digest":{"length":14396,"function_hash":"138027983890393511308692566048484423621"},"signature_version":"v1","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21261.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures_modified":"2026-04-11T23:33:53Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}