Description
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

A flaw in Flatpak’s ld.so caching mechanism allows a sandboxed application to delete arbitrary files on the host system. The missing boundary checks create a path traversal that falls under CWE-22: Path Traversal. A malicious or compromised app can remove critical host files, compromising confidentiality, integrity, and potentially availability.

Affected Systems

The flaw exists in all Flatpak builds before version 1.16.4. Linux systems running Flatpak 1.16.3 or earlier are affected regardless of distribution or host filesystem layout. The affected product is the Flatpak runtime.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability, while EPSS data is not available. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is local; an attacker must install or run a malicious Flatpak application. Once executed inside the sandbox, the application can trigger deletion of arbitrary host files, presenting a significant risk to system integrity.

Generated by OpenCVE AI on April 8, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Flatpak to version 1.16.4 or later, where the ld.so cache deletion logic has been fixed.
  • If an immediate update is not possible, quarantine or remove any untrusted Flatpak applications and avoid running them on systems with the vulnerable Flatpak version.
  • When critical, restrict file access for Flatpak applications by configuring AppArmor or SELinux policies to limit host filesystem visibility.

Generated by OpenCVE AI on April 8, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6207-1 flatpak security update
Debian DSA Debian DSA DSA-6223-1 flatpak security update
History

Fri, 17 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Flatpak
Flatpak flatpak
Vendors & Products Flatpak
Flatpak flatpak

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L'}

threat_severity

Moderate

Tue, 07 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Title Flatpak affected by arbitrary file deletion on the host filesystem
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flatpak Flatpak
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T20:13:47.945Z

Reserved: 2026-03-25T16:21:40.868Z

Link: CVE-2026-34079

cve-icon Vulnrichment

Updated: 2026-04-10T20:13:41.649Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T22:16:22.080

Modified: 2026-04-17T20:26:32.860

Link: CVE-2026-34079

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T21:29:44Z

Links: CVE-2026-34079 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:30Z

Weaknesses