CVE-2021-42762 [Medium] | Security Bypass in Webkitgtk

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-21	0.08%	0.01%	-0.07%
2	2025-11-18	0.01%	0.08%	+0.07%
3	2025-03-17	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-11-21

0.08%

0.01%

-0.07%

2025-11-18

0.01%

0.08%

+0.07%

2025-03-17

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	1.8	3.4	[email protected]
4.6	2.0	MEDIUM	`AV:L/AC:L/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	3.9	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.3

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

1.8

3.4

[email protected]

4.6

2.0

MEDIUM

AV:L/AC:L/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

3.9

6.4

[email protected]

OS Trackers for CVE-2021-42762

vendor	priority	summary	link
`alpine`	medium	CVE-2021-42762: 1 source package rows (webkit2gtk); 5 state rows across 5 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, edge-community); fixed 5, open 0.	https://security.alpinelinux.org/vuln/CVE-2021-42762
`debian`	not yet assigned	CVE-2021-42762 not yet assigned priority: Debian including 2 source packages (webkit2gtk, wpewebkit), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2021-42762
`gentoo`	high	CVE-2021-42762: 1 GLSA(s) (202202-01), 1 atom(s) (net-libs/webkit-gtk); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-42762
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-42762
`suse`	high	CVE-2021-42762 severity important: SUSE including 146 source package names (WebKit2GTK-4.1-lang-2.36.0-150400.2.13, WebKit2GTK-5.0-lang-2.36.0-150400.2.12, …), 363 product×package rows across 52 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.0, … (52 product lines)): Fixed 363.	https://www.suse.com/security/cve/CVE-2021-42762/
`ubuntu`	medium	CVE-2021-42762 medium priority: Ubuntu including 5 source packages (qtwebkit-opensource-src, qtwebkit-source, webkit2gtk, webkitgtk, wpewebkit), 60 status rows across 12 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, trusty, upstream, xenial): DNE 27, ignored 20, released 9, needs-triage 3, not-affected 1.	https://ubuntu.com/security/CVE-2021-42762

Affected software / configurations for CVE-2021-42762

Vendor	Product	Version	Raw CPE
webkitgtk	webkitgtk	< 2.34.1	cpe:2.3:a:webkitgtk:webkitgtk::::::::
wpewebkit	wpe_webkit	< 2.34.1	cpe:2.3:a:wpewebkit:wpe_webkit::::::::
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2021-42762

URL	Tags
http://www.openwall.com/lists/oss-security/2021/10/26/9	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/2	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/27/4	Mailing List Third Party Advisory
https://bugs.webkit.org/show_bug.cgi?id=231479	Exploit Issue Tracking Vendor Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6MGXCX7P5AHWOQ6IRT477UKT7IS4DAD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5J2LZQTDX53DNSKSGU7TQYCO2HKSTY4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ON5SDVVPVPCAGFPW2GHYATZVZYLPW2L4/
https://www.debian.org/security/2021/dsa-4995	Third Party Advisory
https://www.debian.org/security/2021/dsa-4996	Third Party Advisory

URL

CVE-2021-42762

Public exploit references (Exploit-DB) for CVE-2021-42762

Exploit prediction scoring system (EPSS) score for CVE-2021-42762

Common vulnerability scoring system (CVSS) metrics for CVE-2021-42762

Weakness enumeration for CVE-2021-42762

OS Trackers for CVE-2021-42762

Affected software / configurations for CVE-2021-42762

References for CVE-2021-42762