CVE-2021-26910 — firejail - security update

Description

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.

How to fix CVE-2021-26910

To remediate CVE-2021-26910, upgrade the affected package to a fixed version below.

Debian/firejail—upgrade to 0.9.64.4-1 or later
—upgrade to 0.9.44.8-2+deb9u2 or later
—upgrade to 0.9.58.2-2+deb10u2 or later

Is CVE-2021-26910 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.9.64.4-1
from 0, < 0.9.44.8-2+deb9u2
from 0, < 0.9.58.2-2+deb10u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-26910