CVE-2021-44731: 
Linux Debian vulnerability analysis and mitigation

A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This vulnerability (CVE-2021-44731) was discovered by the Qualys Research Team and disclosed in February 2022. The vulnerability affected the snap-confine component, which is installed by default on Ubuntu systems and is used internally by snapd to construct the execution environment for snap applications (NVD, Ubuntu Security).

The vulnerability exists in the setupprivatemount() function of snap-confine. The function passes an absolute path to the mount() syscall, which follows symlinks. This creates a race condition where an attacker could replace /tmp/snap.$SNAP_NAME with another directory containing a symlink named "tmp" pointing to an arbitrary directory. Because the mount() call follows symlinks, this allows tricking snap-confine into bind-mounting an arbitrary directory onto /tmp inside the snap's mount namespace. The vulnerability received a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD, Qualys Advisory).

This vulnerability could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code, leading to privilege escalation. The impact is particularly severe as snap-confine runs with root privileges (NVD).

The vulnerability was fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04, and 2.54.3+21.10.1. Users should update their systems to these patched versions. The fix was also backported to various distributions including Debian (2.37.4-1+deb10u1 for oldstable and 2.49-1+deb11u1 for stable) and Fedora (Ubuntu Security, Debian Security).