PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5180 Firejail Project CVE debrief

CVE-2017-5180 is a local Firejail sandbox-escape issue tied to how the tool handled user file access protections when running with an euid of zero. According to the record, Firejail did not consider the .Xauthority case in its attempt to block access to user files, and the issue could be reached through a symlink-based vector while using the --private option. The NVD record rates the issue HIGH with a CVSS v3.0 score of 8.8, reflecting the potential for confidentiality, integrity, and availability impact once the sandbox boundary is bypassed.

Vendor
Firejail Project
Product
CVE-2017-5180
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-09
Original CVE updated
2026-05-13
Advisory published
2017-02-09
Advisory updated
2026-05-13

Who should care

Administrators and users relying on Firejail for desktop or application sandboxing, especially on systems running affected Firejail versions. This is most relevant where --private is used to isolate user data and where local users may be able to interact with symlinked files or user-controlled paths.

Technical summary

NVD describes the flaw as Firejail failing to account for the .Xauthority file name case while trying to prevent access to user files when running with an effective UID of zero. The weakness is mapped to CWE-862 (Missing Authorization). The affected version ranges in the record are Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS. The published CVSS vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating a local attack that can cross a security boundary and have high impact.

Defensive priority

High. This is a sandbox boundary bypass in a security tool, with local attack requirements but severe potential impact and a strong CVSS score.

Recommended defensive actions

  • Upgrade Firejail to 0.9.44.4 or later, or to 0.9.38.8 LTS or later for the LTS line.
  • Inventory systems that use Firejail with the --private option and confirm they are not on affected versions.
  • Review local-user exposure on multi-user hosts where symlink manipulation or shared paths could matter.
  • Use the vendor release notes and distribution advisories to verify fixed package versions before and after rollout.

Evidence notes

The debrief is based on the CVE record and NVD metadata. The record states that Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS are vulnerable, and that the issue involves .Xauthority handling during access restriction attempts with euid zero and the --private option. NVD classifies the weakness as CWE-862 and assigns CVSS v3.0 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, with a score of 8.8. References in the record include the vendor release notes, an oss-security mailing list post, a SecurityFocus entry, and a Gentoo GLSA.

Official resources

The CVE record was published on 2017-02-09. The source corpus also lists related references dated earlier in 2017, but the CVE publication date is the correct disclosure date to use here.