diff --git a/wrap.sh b/wrap.sh
index 24530a3..bb55748 100755
--- a/wrap.sh
+++ b/wrap.sh
@@ -374,6 +374,7 @@ for e in "${env_vars[@]}"; do
 done
 
 exec bwrap \
+  --new-session \ # to prevent CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl https://github.com/containers/bubblewrap/issues/142
   --chdir "$bwrap_chdir" \
   --clearenv \
   --dev /dev \