{"id":"CVE-2021-43860","details":"Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the \"xa.metadata\" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the \"metadata\" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to xa.metadata. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions 1.12.3 and 1.10.6. As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the xa.metadata key on the commit metadata.","modified":"2026-04-16T04:35:54.624906046Z","published":"2022-01-12T22:15:07.977Z","related":["ALSA-2022:1792","GHSA-qpjc-vq3c-572j","SUSE-SU-2022:0712-1","SUSE-SU-2022:3284-1","openSUSE-SU-2022:0712-1","openSUSE-SU-2024:11740-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APFTBYGJJVJPFVHRXUW5PII5XOAFI4KH/"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/releases/tag/1.12.3"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202312-12"},{"type":"ADVISORY","url":"https://github.com/flatpak/flatpak/releases/tag/1.10.6"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5049"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/54ec1a482dfc668127eaae57f135e6a8e0bc52da"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451"},{"type":"FIX","url":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flatpak/flatpak","events":[{"introduced":"0"},{"fixed":"17cc9937cad5a10fdbb5dbac1febcc98a10b8d0c"},{"introduced":"bcdc073041e0c93e15aa108b94cb7a39a79dcdf3"},{"last_affected":"e528dcf196816de5e267d08456d1edd6877f8f73"},{"fixed":"54ec1a482dfc668127eaae57f135e6a8e0bc52da"},{"fixed":"65cbfac982cb1c83993a9e19aa424daee8e9f042"},{"fixed":"93357d357119093804df05acc32ff335839c6451"},{"fixed":"ba818f504c926baaf6e362be8159cfacf994310e"},{"fixed":"d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee"},{"fixed":"e528dcf196816de5e267d08456d1edd6877f8f73"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"1.11.1"},{"last_affected":"1.12.3"}]}}],"versions":["0.1","0.10.0","0.10.1","0.10.2","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","0.11.6","0.11.7","0.11.8","0.11.8.1","0.11.8.2","0.11.8.3","0.2","0.2.1","0.3","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.4.0","0.4.1","0.4.10","0.4.11","0.4.12","0.4.13","0.4.2","0.4.2.1","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.5.0","0.5.1","0.5.2","0.6.0","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.8.0","0.8.1","0.9.1","0.9.10","0.9.11","0.9.12","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","0.9.98","0.9.98.1","0.9.98.2","0.9.99","0.99.1","0.99.2","0.99.3","1.0.0","1.0.1","1.0.2","1.0.3","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.11.1","1.11.2","1.11.3","1.12.0","1.12.1","1.12.2","1.12.3","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.1","1.7.2","1.7.3","1.8.0","1.9.1","1.9.2","1.9.3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CVE-2021-43860-1d540665","signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451","target":{"function":"flatpak_dir_pull","file":"common/flatpak-dir.c"},"signature_type":"Function","digest":{"length":3278,"function_hash":"141532740166785984415421914918709778572"}},{"id":"CVE-2021-43860-36468008","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","target":{"function":"resolve_op_from_commit","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":1013,"function_hash":"72166912600114214266076760149189219172"}},{"digest":{"length":2046,"function_hash":"339737247405246731989476675945704742036"},"deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"upgrade_deploy_data","file":"common/flatpak-dir.c"},"signature_type":"Function","id":"CVE-2021-43860-3eb1334a"},{"deprecated":false,"id":"CVE-2021-43860-4b161cef","signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451","target":{"file":"common/flatpak-dir.c","function":"flatpak_dir_deploy"},"signature_type":"Function","digest":{"length":9527,"function_hash":"97646939531471039283140005229740933271"}},{"id":"CVE-2021-43860-5594e418","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","signature_version":"v1","deprecated":false,"target":{"function":"flatpak_dir_pull","file":"common/flatpak-dir.c"},"signature_type":"Function","digest":{"length":3261,"function_hash":"108157274676217845558974616427300781636"}},{"digest":{"length":1185,"function_hash":"142872958903960001710705119440647793968"},"deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","target":{"function":"mark_op_resolved","file":"common/flatpak-transaction.c"},"signature_type":"Function","id":"CVE-2021-43860-5b7ace36"},{"deprecated":false,"id":"CVE-2021-43860-5ca9d5b1","signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"validate_commit_metadata","file":"common/flatpak-dir.c"},"signature_type":"Function","digest":{"length":588,"function_hash":"201869370587402139055417088224536499509"}},{"digest":{"line_hashes":["113906060814615388250958943980426724459","176940875076191891269846162397044897961","2850567047899330314015378116175590207","101180647974771639536099394259175212427","289709447313296564554677975858121294327","231731912727897892085635547454843088114","291834660848745439830088635366627079967","218792257955215717086817293712330694505","60279110464370607946918913336977017899","317668202017520570742558513134732992724","150870807653931058537814641782374260902","265402850110289985844196242841832435522","217126854792704372889979877386226921706","334484318941778813222511243406795808752","141080186632941684667378085511060069913","187771840317557026038908382312344157842","313900450927211279900662706492698418908","268023618968753751289512861849931802853","101827564124797451647439813651155862909","50756745178298175683455892556951269265","16573105038800407010960711323116759938","321009502898708228700944344729869858615","112722907110318564105701046942059025842","150248590608283089730688085096838475848","213178837288014714223647895324175427962","227107901386578860573420462951371465789","328965565139110626740864294014787063214","273851668236455340667705458997159668507","23137554467035870665872908200354444307","272609309585095650454685528630767879074","142994434065710059772785345327213480302","232616095289602701867115145264683808488","117356317841148710037848821460628760498","131955345433866921287030309753766818115","179598129764717015350400042085013782316","339414202889473142307643944975954104012","52242946207213376658111699111451374055","256868658528190592680678777579149544645","87580117319930201975028396264494435387","269195271688570305048597750441994356452","86535097828903668676602669554643088636","192921292416269012823533753150471277556","4069462766814140087117412744185563641","85925118605704720585472579221782045763","335967016865171630593054352403198006774","25112074829882955399624709390192926083","203687230538998254504502339858857912271","212747165822216459556939592738193073382","108859695548172462225321819005856048581","234821476795901049204871870418586295291","304084885100800463084071990348038840487","66078822036470659144230149710285604275","121850760267769933114757163291369770783","135488234881649149468753675604121177069","259522684114347344518950359396904737198","320705484119821672307187881127568028546","35039739573046115916370192168006445900","329366806494639514928452277975991752849","85903228099650784518719945404171694252","296667237429480005016887321786683012499","61636712300706474001439058240294416112","77425943753379300985456224730390594033","135929676009272874451971485705602739130","49535617750990182053086350885676251462","33093153364960835950107932712302248566","225828864127289279921631622465974272262","79552568967556752798876914827463897153","333410181382288534824612319161829565673","176541068430625443980465508504582927512","168763759043810477002339022667318381678","331446700013639118708788535359201420254","155821766547486912171878411543998170111","58805356026095635832561191414997722458","99478570042327571537016778884384472730","333198278653344325639517405329165219299","125657544851565095256207088577436661723","239388980532439167434774870513742444418","270417850196932116785063177384387752083","5801530637509105560467689807237342717","20088633092441532646650728584560939559","42227335557464549010010414722436480917","83677434866771941295931151765314791457","177876332645596899893387754574563645196","227578307401345944109284943623988652836","1634520939855509107196698310393509536","76920695806038359049937337612482095975","230443769047555086793817637875159852835","286941051521258308774577060726131505363","326494712029138037058902409418515720528","46913028736989141746481103152322865734","273228920086417022959403044733870944246","5485597252794390319117476009855436311"],"threshold":0.9},"deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","target":{"file":"common/flatpak-transaction.c"},"signature_type":"Line","id":"CVE-2021-43860-6d0d7a3c"},{"deprecated":false,"id":"CVE-2021-43860-7367118b","signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"file":"common/flatpak-utils.c"},"signature_type":"Line","digest":{"line_hashes":["124588171243196159017325245423169724344","297426710713466060605088962606546847769","165934389046901228074990493218186080362","114060730018427728106657663031172015011","23142527110121917314341611571392501718","62518153213670252093757051117906746599","49410270569780855872032560277951466771","298771084599194939213039736243316336751","68015049258757301742784802346844661454","69272348257012032869529327589425445737","142365861560506242528150096585612340899","126370255795860806015291009246548187126","251641431207220062934404017557492285965","42223758317497889650179176523099628456"],"threshold":0.9}},{"id":"CVE-2021-43860-77ff53a6","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"try_resolve_op_from_metadata","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":1323,"function_hash":"233027807320338073607589774600227767042"}},{"id":"CVE-2021-43860-8b7c9d53","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451","target":{"function":"validate_commit_metadata","file":"common/flatpak-dir.c"},"signature_type":"Function","digest":{"length":780,"function_hash":"44369606853014012242343163063680559346"}},{"id":"CVE-2021-43860-8cf9a025","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451","target":{"file":"common/flatpak-dir.c"},"signature_type":"Line","digest":{"line_hashes":["57149265493872430027822444391435039971","93888921757088450450621244933121595204","58726908379109311810036282317833112295","241641131146341495441644568526422954398","215675362035243718653504875454687334952","335637409516687678781425605643119607974","235157349365159024898673017082412220955","325785708849771424137837445523432580434","323387029713864623379491020388098677670","16956737829638233055283797266862262703","109958476652233262003307174484882149235","73115411855031086833946676868175620507","68930752288344462197228387810069743745","80495402352877524917172159362624647054","72115217928619700308396391558443496221","14259380173406930917883488799718391961","153217848888722292680949200234219417426","303800768084033029244019993952351342097","58030509145122759570660871855385689047","212286888989208057246131969045308534041","251968170921419775447707999903369839087","72292594319842857139545075225690984659","160620965585170378079297128850168849635","113007455854131867626366658661907703023"],"threshold":0.9}},{"id":"CVE-2021-43860-a16dbd17","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"file":"common/flatpak-utils.c","function":"flatpak_pull_from_bundle"},"signature_type":"Function","digest":{"length":2410,"function_hash":"130268887356355324802151301214002533830"}},{"id":"CVE-2021-43860-b3e431be","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"resolve_op_from_commit","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":1017,"function_hash":"35507444413538165187572202229198735844"}},{"id":"CVE-2021-43860-bc88dfd3","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","signature_version":"v1","deprecated":false,"target":{"file":"common/flatpak-dir.c"},"signature_type":"Line","digest":{"line_hashes":["100737419827060205170198414800389184387","147773516081525001554295588253374388184","226225098825430752395285439407341201299","303147884397468597738662709471431570791","241641131146341495441644568526422954398","88043545392854206544277765936902990586","59500614890680722908205740340948755221","168256884569841067884185050026736665062","259357256558738351504726465500188503747","181138335075233938374465241475198759983","127017229258498961023957720820318952800","28042782009037569120671434122320668804","231012024652166073477797178561391339267","6489037587716790811367711182929614153","313828336662594673455220358967849379802","145946474572252029719996614458748132423","105378569069162234850768369549942688277","183321967984024006210163039148144222295","316107473565103082443988270586501569191","98223543383625866905502946294220025283","78003675036132145024940266323136981023","159828783754817344216548204969522165493","83960354187234932446953270250865777970","105443273874021836890860840303759115755","181224744156650566400872879786794734155","81887701916145403750761171648458072429","70032870353621431751052726394536128812","28494434730770681077016801247642358209","243157794437306587665422466713735513865","252828546703910787814860840973790694651","314445975014033486486876501564521805295","214481218969469092082669095116137988979","338412271555581422031928028987357398958","226218761533293436320315337539252089534","187733715585570057798640888719938202345","82629542228865644247658191515657695735","59509183817093369878375538042218526829","257878910756238708787772132690214606659","252140756641509854650757499695224544643","100899753757084331058382048621250040764","25506175481870640167739428453839082526","284763049928881514111373346329127519135","179660368344375117315951300530965121794","56925722711802919112719619249771525804","80891711527026972231675690018738210259"],"threshold":0.9}},{"id":"CVE-2021-43860-ccdc3492","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"load_deployed_metadata","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":969,"function_hash":"5925686855147228042481882271521756390"}},{"id":"CVE-2021-43860-d1c4aa3f","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","signature_version":"v1","deprecated":false,"target":{"file":"common/flatpak-transaction.c","function":"resolve_ops"},"signature_type":"Function","digest":{"length":3928,"function_hash":"286898616012752349634334808800709437464"}},{"id":"CVE-2021-43860-e4782c3e","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"flatpak_transaction_add_ref","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":2672,"function_hash":"2696867275489056180011282615357340171"}},{"id":"CVE-2021-43860-ef0a0517","deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"file":"common/flatpak-transaction.c"},"signature_type":"Line","digest":{"line_hashes":["210648484732517088296769330734129106940","46629451896094101670571230274217458358","162445486178380282586568069834911329075","111740388813201847549500563602858560156","150481912879845550593135711365509310769","256193446523528562998242946403058041632","235817528180193076402361451869924316677","208198275019053322225600353267922397967","248933591574767209822627382570382408461","290473216411275696532154990853373061300","13497216911047613904274732569591815499","182487748692728740097300994311861168371","311053415847645923945277703357330979141","298409011616285831933306185866212696719","124492121589322149192915062175388484543","50843910737737449487675448893836490152"],"threshold":0.9}},{"digest":{"length":1319,"function_hash":"311279097478529110885827916821625603360"},"deprecated":false,"signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","target":{"function":"try_resolve_op_from_metadata","file":"common/flatpak-transaction.c"},"signature_type":"Function","id":"CVE-2021-43860-ef69eb0b"},{"deprecated":false,"id":"CVE-2021-43860-f076299d","signature_version":"v1","source":"https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e","target":{"function":"flatpak_dir_deploy","file":"common/flatpak-dir.c"},"signature_type":"Function","digest":{"length":9504,"function_hash":"344809701562139156707791863798175169"}},{"id":"CVE-2021-43860-fd52db7a","source":"https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee","signature_version":"v1","deprecated":false,"target":{"function":"resolve_op_end","file":"common/flatpak-transaction.c"},"signature_type":"Function","digest":{"length":327,"function_hash":"292667963680028786439017636975465809109"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43860.json","vanir_signatures_modified":"2026-04-11T23:37:19Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}