CVE-2026-34079
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-34079.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-34079
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.14.10-1~deb12u2 |
| debian | bullseye | affected | |
| debian | forky | fixed | 1.16.4-1 |
| debian | sid | fixed | 1.16.4-1 |
| debian | trixie | fixed | 1.16.6-1~deb13u1 |
| sles | affected | |
References
Verify integrity in audit chain (admin only). AS-IS.