HIGHCVE-2026-34079Published 2026-04-07Modified 2026-04-10CNA GitHub_M

CVE-2026-34079: Flatpak affected by arbitrary file deletion on the host filesystem

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

flatpak / flatpak
< 1.16.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp

Metrics