Local root vulnerability in snap-confine

The flatpak-system-helper is part of the distribution/installation layer of Flatpak rather than part of the sandboxing layer: it's the part that lets semi-privileged (but non-root-equivalent) users install an app or runtime system-wide, into /var/lib/flatpak. It's only about getting files into the right directories, and gets invoked when you install or upgrade an app, not when you run it.

The sandboxing layer of Flatpak *usually* (on modern distros) runs with the privileges of its caller, and can't do anything its caller couldn't already do on their own.

The exception to that is when the distro doesn't allow unprivileged users to create new user namespaces, for example Debian 10 and RHEL 7, in which case the bubblewrap executable (typically /usr/bin/bwrap or /usr/libexec/flatpak-bwrap) needs to be setuid root. I don't think it's coincidence that two out of four CVEs reported against bubblewrap have only been applicable when it's setuid root, and those two were the really serious ones. Setuid is dangerous and it's good to avoid it whenever possible (see also the recent pkexec vulnerability).

(CVE-2016-8659 and CVE-2020-5291 were root privilege escalation when setuid root, but were not applicable when not setuid root; CVE-2017-5226 wasn't really a vulnerability in bubblewrap at all, but more like a vulnerability in Flatpak and other bubblewrap users; CVE-2019-12439 only applied in unusual system configurations, and as far as I'm aware it was only a denial-of-service.)