[Pkg-utopia-maintainers] Bug#1132945: flatpak: GHSA-89xm-3m96-w3jg: cross-user CancelPull orphans another user's ongoing pull
Simon McVittie
smcv at debian.org
Tue Apr 7 22:38:55 BST 2026
Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Flatpak older than 1.16.4 has an issue in which one local user can
use the CancelPull method to cancel an ongoing download by a second
local user, preventing the second user from subsequently cancelling that
download. This is (at least arguably) a denial of service. No CVE ID has
been assigned: it was not clear whether this is really a security
vulnerability, or just a bug.
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
More information about the Pkg-utopia-maintainers
mailing list