Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.
https://www.debian.org/security/2021/dsa-4849
https://security.gentoo.org/glsa/202105-19
https://lists.debian.org/debian-lts-announce/2021/02/msg00015.html
https://github.com/netblue30/firejail/releases/tag/0.9.64.4
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b