CVE-2021-41146

Name of the Vulnerable Software and Affected Versions qutebrowser versions 1.7.0 through 2.3.x

Description The issue allows arbitrary code execution via commands such as :spawn or :debug-pyeval when a specially crafted qutebrowserurl: URL is opened with certain applications. Only Windows installs where qutebrowser is registered as a URL handler are affected. The fix also adds additional hardening for potential similar issues on Linux.

Recommendations For qutebrowser versions 1.7.x, apply the backported patch d1ceaab. For qutebrowser versions 1.8.x, apply the backported patch ca7155d. For qutebrowser versions 1.9.x, apply the backported patch 157d871. For qutebrowser versions 1.10.x, apply the backported patch 94a6125. For qutebrowser versions 1.11.x, apply the backported patch 10acfbb. For qutebrowser versions 1.12.x, apply the backported patch 363a18f. For qutebrowser versions 1.13.x, apply the backported patch 410f262. For qutebrowser versions 1.14.x, apply the backported patch e4f4d93. For qutebrowser versions 2.0.x, apply the backported patch 15a1654. For qutebrowser versions 2.1.x, apply the backported patch 509ddf2. For qutebrowser versions 2.2.x, apply the backported patch 03dcba5. For qutebrowser versions 2.3.x, apply the backported patch 00a694c. For all affected versions, remove qutebrowser from the default browser settings entirely to prevent it from handling any kind of URLs.