Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.
Conclusion & alert: CVE-2019-10063 is rated Moderate Risk (64.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.91%). Core evidence: EPSS rose +1.51% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.40% | 1.91% | +1.51% |
| 2 | 2026-06-03 | 0.15% | 0.40% | +0.25% |
| 3 | 2026-05-27 | — | 0.15% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.0 | 3.0 | CRITICAL |
|
2.2 | 6.0 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
critical | CVE-2019-10063: 1 source package rows (flatpak); 7 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 0. | https://security.alpinelinux.org/vuln/CVE-2019-10063 |
debian
|
not yet assigned | CVE-2019-10063 not yet assigned priority: Debian including 1 source packages (flatpak), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2019-10063 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2019-10063 |
suse
|
high | CVE-2019-10063 severity important: SUSE including 77 source package names (flatpak, flatpak-1.0.2-5.el7_6, …), 172 product×package rows across 38 product lines (SUSE CaaS Platform 4.0, SUSE CaaS Platform 4.5, … (38 product lines)): Known Not Affected 89, Fixed 83. | https://www.suse.com/security/cve/CVE-2019-10063/ |
ubuntu
|
medium | CVE-2019-10063 medium priority: Ubuntu including 1 source packages (flatpak), 6 status rows across 6 suites (bionic, cosmic, disco, trusty, upstream, xenial): released 3, DNE 2, not-affected 1. | https://ubuntu.com/security/CVE-2019-10063 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| flatpak | flatpak | < 1.0.8 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | >= 1.1.0, <= 1.1.3 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | >= 1.2.0, < 1.2.4 | cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:* |
| flatpak | flatpak | 1.3.0 | cpe:2.3:a:flatpak:flatpak:1.3.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2019:1024 | |
| https://access.redhat.com/errata/RHSA-2019:1143 | |
| https://github.com/flatpak/flatpak/issues/2782 | Issue Tracking Patch Third Party Advisory |