CVE-2026-5674

Summary

A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library, leading to arbitrary code execution outside the sandbox and potential compromise of the user's system.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-427: Uncontrolled Search Path Element

Workarounds

To mitigate this issue, restrict containerized applications from accessing the PulseAudio socket or writing to host-visible paths. Additionally, configure PipeWire to prevent module loading by setting pulse.allow-module-loading = false in the PipeWire PulseAudio configuration. Alternatively, restrict the dlopen() paths for module-ladspa-sink to trusted system directories like /usr/lib/ladspa/ and /usr/lib64/ladspa/. Applying these changes may require restarting the PipeWire service to take effect, which could impact audio functionality.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References