CVE-2026-48831

NameCVE-2026-48831
DescriptionWine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wine (PTS)bullseye5.0.3-3vulnerable
bookworm8.0~repack-4vulnerable
trixie10.0~repack-6vulnerable
sid10.0~repack-12vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
winesource(unstable)(unfixed)

Notes

https://bugs.winehq.org/show_bug.cgi?id=59767
https://www.openwall.com/lists/oss-security/2026/05/19/1
https://www.openwall.com/lists/oss-security/2026/05/25/1
Search for package or bug name: Reporting problems