nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`

Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets concrete and abstract. This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it...

GHSA-27VP-2MMC-VMH3 nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`

Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets concrete and abstract. This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it...

CVE-2026-8534

Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

SUSE CVE-2026-39860

Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds typically the Nix daemon running as root in multi-user installations by following symlinks during...

PT-2026-31025

Name of the Vulnerable Software and Affected Versions Flatpak versions prior to 1.16.4 Description Flatpak, a Linux application sandboxing and distribution framework, contained a flaw where the caching mechanism for ld.so did not adequately verify that an application-controlled path to an outdate...

EUVD-2022-26892

Malicious code in bioql PyPI...

SaMOSA: Sandbox for Malware Orchestration and Side-Channel Analysis

Cyber-attacks on operational technology OT and cyber-physical systems CPS have increased tremendously in recent years with the proliferation of malware targeting Linux-based embedded devices of OT and CPS systems. Comprehensive malware detection requires dynamic analysis of execution behavior in...

firejail

This repository is an open-source Linux sandboxing platform called Firejail. It is a Linux namespaces and seccomp-bpf sandbox that allows users to run applications in a secure environment, isolating them from the rest of the system. The repository contains a variety of tools and scripts for...

SUSE CVE-2015-3335

The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl/loader/sandboxlinux/naclsandboxlinux.cc in Google Chrome before 42.0.2311.90 does not have RLIMITAS and RLIMITDATA limits for Native Client aka NaCl processes, which might make it easier for remote attackers to conduct...

DEBIAN-CVE-2017-5123

Insufficient data validation in waitid allowed an user to escape sandboxes on Linux...

OPENSUSE-SU-2021:0941-1 Security update for tor

This update for tor fixes the following issues: tor 0.4.5.9 Don't allow relays to spoof RELAYEND or RELAYRESOLVED cell CVE-2021-34548, boo1187322 Detect more failure conditions from the OpenSSL RNG code boo1187323 Resist a hashtable-based CPU denial-of-service attack against relays CVE-2021-34549...

Virtuozzo 7 : flatpak / flatpak-builder / flatpak-devel / etc (VZLSA-2019-0375)

An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

Fedora 24 : chromium (2016-e9798eaaa3)

On 2016-08-04 Google released Chrome 52.0.2743.116 which fixes at least 8 security issues: CVE-2016-5141, CVE-2016-5142, CVE-2016-5139, CVE-2016-5140, CVE-2016-5145, CVE-2016-5143 and CVE-2016-5144. Additionally, this update : - Splits libmedia and libffmpeg into the libs-media subpackage, so tha...