SB2026040858 - Multiple vulnerabilities in Flatpak
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper access control in org.freedesktop.Flatpak.SystemHelper.CancelPull when handling a CancelPull request for another user's ongoing pull. A remote user can invoke CancelPull on another user's pull to cause a denial of service.
2) Link following (CVE-ID: N/A)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper link resolution in the OCI code paths of the system helper when importing OCI images under user control. A local user can provide a specially crafted OCI image with symlinks to disclose sensitive information.
Only systems with a system OCI repository configured are vulnerable.
3) Path traversal (CVE-ID: CVE-2026-34079)
The vulnerability allows a local user to delete arbitrary files on the host filesystem.
The vulnerability exists due to improper path validation in ld.so cache file caching when removing outdated cache files. A local user can control the path to an outdated cache file to delete arbitrary files on the host filesystem.
4) Improper access control (CVE-ID: CVE-2026-34078)
The vulnerability allows a remote attacker to execute code in the host context.
The vulnerability exists due to improper access control in the Flatpak portal and flatpak run when processing sandbox-expose options containing app-controlled symlinks. A remote attacker can supply a crafted path to gain access to arbitrary host files and execute code in the host context.
The issue enables sandbox escape from a Flatpak app to the host environment.
Remediation
Install update from vendor's website.