Flatpak 1.16.4 has been released with critical security fixes addressing three CVEs. CVE-2026-34078 patches a complete sandbox escape vulnerability where Flatpak portal accepted app-controlled symlinks pointing to arbitrary host paths, enabling full host file access and code execution. CVE-2026-34079 fixes arbitrary file deletion on the host filesystem caused by ld.so cache cleanup not validating app-controlled paths. A third issue (GHSA-2fxp-43j9-pwvc) prevents arbitrary read-access to files in the system-helper context, and a fix for orphaning cross-user pull operations is also included.
Sort: