{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34079", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.868Z", "datePublished": "2026-04-07T21:29:44.601Z", "dateUpdated": "2026-04-07T21:29:44.601Z"}, "containers": {"cna": {"title": "Flatpak affected by arbitrary file deletion on the host filesystem", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp"}], "affected": [{"vendor": "flatpak", "product": "flatpak", "versions": [{"version": "< 1.16.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:29:44.601Z"}, "descriptions": [{"lang": "en", "value": "Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4."}], "source": {"advisory": "GHSA-p29x-r292-46pp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4."}], "id": "CVE-2026-34079", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T22:16:22.080", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation", "id": "2456284", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456284"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. The caching mechanism for ld.so (dynamic linker/loader) improperly removes outdated cache files without adequately verifying that the application-controlled path to the outdated cache is within the designated cache directory. This vulnerability allows Flatpak applications to delete arbitrary files on the host system, potentially leading to system instability or data loss."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34079", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "flatpak", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "flatpak", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "flatpak", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T21:29:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34079\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34079\nhttps://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.16.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "flatpak", "source": "cna", "vendor": "flatpak"}, "product": "flatpak", "vendor": "flatpak"}], "analysis": {"en": {"generated_at": "2026-04-08T00:22:11.471115+00:00", "value": {"mitigation_remediation": ["Update Flatpak to version 1.16.4 or later, where the ld.so cache deletion logic has been fixed.", "If an immediate update is not possible, quarantine or remove any untrusted Flatpak applications and avoid running them on systems with the vulnerable Flatpak version.", "When critical, restrict file access for Flatpak applications by configuring AppArmor or SELinux policies to limit host filesystem visibility."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The flaw exists in all Flatpak builds before version 1.16.4. Linux systems running Flatpak 1.16.3 or earlier are affected regardless of distribution or host filesystem layout. The affected product is the Flatpak runtime.", "description_and_impact": "A flaw in Flatpak\u2019s ld.so caching mechanism allows a sandboxed application to delete arbitrary files on the host system. The missing boundary checks create a path traversal that falls under CWE-22: Path Traversal. A malicious or compromised app can remove critical host files, compromising confidentiality, integrity, and potentially availability.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability, while EPSS data is not available. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is local; an attacker must install or run a malicious Flatpak application. Once executed inside the sandbox, the application can trigger deletion of arbitrary host files, presenting a significant risk to system integrity."}}}}, "created": "2026-04-08T19:34:04.146623+00:00", "updated": "2026-04-08T19:45:30.148633+00:00", "vendors": ["flatpak", "flatpak$PRODUCT$flatpak"]}