[Pkg-utopia-maintainers] Bug#1132944: flatpak: CVE-2026-34079: Arbitrary file deletion on the host filesystem
Simon McVittie
smcv at debian.org
Tue Apr 7 22:36:41 BST 2026
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Flatpak older than 1.16.4 has an issue in which the caching for
ld.so removes outdated cache files without properly checking that the
app-controlled path to the outdated cache is in the cache directory. A
malicious or compromised Flatpak app could use this to delete arbitrary
files on the host system, a denial of service vulnerability (denying
availability).
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
More information about the Pkg-utopia-maintainers
mailing list