PatchSiren cyber security CVE debrief

CVE-2016-9016 Firejail Project CVE debrief

CVE-2016-9016 is a high-severity Firejail sandbox escape affecting version 0.9.38.4. According to NVD, a local user can abuse a crafted TIOCSTI ioctl call to execute arbitrary commands outside the sandbox boundary. The CVSS v3.0 vector reflects local attack requirements, low attack complexity, low privileges, no user interaction, and a changed scope with high impact to confidentiality, integrity, and availability.

Vendor: Firejail Project
Product: CVE-2016-9016
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-19
Original CVE updated: 2026-05-13
Advisory published: 2017-01-19
Advisory updated: 2026-05-13

Who should care

Administrators and users running Firejail 0.9.38.4, especially on multi-user systems where a local account could interact with the sandboxed environment. Security teams responsible for Linux desktop or server hardening should prioritize review if Firejail is part of their containment strategy.

Technical summary

NVD lists Firejail 0.9.38.4 as vulnerable and maps the issue to CWE-284. The flaw is described as a sandbox escape involving a crafted TIOCSTI ioctl, which allows local command execution outside the sandbox. The published CVSS 3.0 vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating the attacker must already have local access but can still achieve severe cross-boundary impact.

Defensive priority

High for any environment where Firejail is used to constrain untrusted or semi-trusted local activity. Because the attack is local and can break sandbox isolation, mitigation should be treated as urgent on exposed multi-user endpoints and development systems.

Recommended defensive actions

Identify systems running Firejail 0.9.38.4 and confirm whether they are exposed to local users.
Review vendor and upstream guidance linked from the CVE record before deploying or updating Firejail.
Apply an updated Firejail release or vendor backport that addresses the sandbox escape, if available in your distribution.
Restrict local shell access and monitor for unexpected TIOCSTI-related behavior on systems where Firejail is deployed.
Treat any sandbox boundary assumptions as suspect until affected versions are remediated and validated.

Evidence notes

Source corpus confirms the affected product/version as firejail_project:firejail:0.9.38.4 and describes the issue as a local command execution escape via crafted TIOCSTI ioctl. NVD assigns CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H and CWE-284. Reference links in the record point to two oss-security posts dated 2016-10-25 and a SecurityFocus advisory entry. No fixed version was provided in the supplied corpus, so none is stated here.

Official resources

CVE-2016-9016 CVE record
CVE.org
CVE-2016-9016 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE-2016-9016 was published by NVD on 2017-01-19. The supplied record was last modified on 2026-05-13, but that date reflects metadata updates rather than the original vulnerability date. The reference trail in the CVE record points to oss-