Flatpak 1.16.4 Brings Important Security Fixes For Sandbox Escape & Deleting Host Files
([Free Software] 14 Minutes Ago
Flatpak 1.16.4)
- Reference: 0001625480
- News link: https://www.phoronix.com/news/Flatpak-1.16.4-Released
- Source link:
That Flatbox app sandboxing and distribution system is out today with important security updates.
First up with Flatpak 1.16.4 is a fix for CVE-2026-34078, which is a security issue allowing a complete sandbox escape leading to host file access and code execution in the host context. Ouch. The issue is due to Flatpak portal accepting paths in the sandbox-expose options that can be app-controlled symlinks pointing at arbitrary paths. Due to this apps can access all host files and can be used as a primitive for gaining code execution in the host context. Disabling Flatpak Portal is another way to workaround this issue but can cause app problems.
CVE-2026-34079 is also fixed and is for preventing arbitrary file deletion on the host file-system. CVE-2026-34079 stems from caching for ld.so removing outdated cache files without checking that the app controlled path to the outdated cache is in the cache directory.
GHSA-2fxp-43j9-pwvc is another security issue fixed for preventing arbitrary read-access to files in the system-helper context. Lastly there is a fix for preventing orphaning cross-user pull operations.
Flatpak 1.16.4 downloads and more details on the new release via [1]GitHub .
[1] https://github.com/flatpak/flatpak/releases/tag/1.16.4
First up with Flatpak 1.16.4 is a fix for CVE-2026-34078, which is a security issue allowing a complete sandbox escape leading to host file access and code execution in the host context. Ouch. The issue is due to Flatpak portal accepting paths in the sandbox-expose options that can be app-controlled symlinks pointing at arbitrary paths. Due to this apps can access all host files and can be used as a primitive for gaining code execution in the host context. Disabling Flatpak Portal is another way to workaround this issue but can cause app problems.
CVE-2026-34079 is also fixed and is for preventing arbitrary file deletion on the host file-system. CVE-2026-34079 stems from caching for ld.so removing outdated cache files without checking that the app controlled path to the outdated cache is in the cache directory.
GHSA-2fxp-43j9-pwvc is another security issue fixed for preventing arbitrary read-access to files in the system-helper context. Lastly there is a fix for preventing orphaning cross-user pull operations.
Flatpak 1.16.4 downloads and more details on the new release via [1]GitHub .
[1] https://github.com/flatpak/flatpak/releases/tag/1.16.4