CVE-2017-5226 is a issue with bubblewrap that allows a program running in a sandbox to excape and get the same privileges as a the parent process. I recently discovered this by mistake and it is fairly concerning to me. ~~I believe it applies to Flatpak as Flatpak uses bubblewrap under the hood.~~
~~Many people like to boast about how secure and private flatpak and some even run untrusted software in it. However, the reality is that there hasn't been a lot of testing and the fact that this CVE still exists but isn't well known is concerning.~~
The reason it wasn't patched is that it is really hard to properly fix. The work around is to call bubblewrap with the --new-session
flag as this effectively prevents the excape. However, this breaks interactive programs such as htop. Also the bubblewrap team believes this is a issue that should be solved downstream as this CVE is technically not a CVE in the traditional sense.
I think it is still better to run flatpak over non flatpak but it is something to be aware of
Edit:
It doesn't apply to flatpak as it is patched in 1.3.1and higher https://github.com/flatpak/flatpak/security/advisories/GHSA-7gfv-rvfx-h87x
Basically this is a communication and people problem not a technical one
Edit2:
This isn't exploitable on modern systems with 6.1 or newer with the way most distros compile the kernel
That is true and is even mentioned by bubblewrap