CVE-2017-5940 Firejail Project CVE debrief

Who should care

Administrators and users running Firejail in environments that rely on local sandboxing, especially those using affected 0.9.38.x LTS or 0.9.40 through 0.9.44.6 releases and the --private option.

Technical summary

NVD classifies the issue as CVE-2017-5940 with CVSS 3.0 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H and CWE-269. The vulnerability affects Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS. According to the record, Firejail did not comprehensively address dotfile cases in its attempt to prevent access to user files with euid 0, allowing a local attacker to conduct a sandbox-escape attack via a symlink and the --private option. The issue is described as an incomplete fix for CVE-2017-5180.

Defensive priority

High. The issue is local, but the impact is broad because a successful escape can compromise confidentiality, integrity, and availability within the sandbox boundary.

Recommended defensive actions

• Upgrade Firejail to a fixed release at or above 0.9.44.6, or 0.9.38.10 LTS for the LTS line.
• Audit systems to identify any deployments still using affected Firejail versions.
• Review uses of the --private option and verify that containment assumptions are still valid after upgrading.
• Track vendor release notes and linked patches to confirm the remediation path used in your environment.
• Prioritize patching on systems where untrusted local users can run code or where Firejail is used to isolate higher-risk applications.

Evidence notes

The official CVE record and NVD entry identify the affected version ranges, the CVSS score/vector, and the local attack model. The vendor release notes, mailing list reference, and linked commits are included in the source corpus as remediation evidence. The description explicitly ties this issue to incomplete handling of dotfiles and to the earlier CVE-2017-5180 fix.

Official resources