CVE-2026-34078
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| flatpak | flatpak | < 1.16.4 | affected |
Weaknesses
- CWE-61: CWE-61: UNIX Symbolic Link (Symlink) Following
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2026/04/09/8
- http://www.openwall.com/lists/oss-security/2026/04/10/14
flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options
Additional References
- https://access.redhat.com/security/cve/CVE-2026-34078
- https://bugzilla.redhat.com/show_bug.cgi?id=2456276
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34078.json
- https://access.redhat.com/errata/RHSA-2026:23420
- https://access.redhat.com/errata/RHSA-2026:21757
- https://access.redhat.com/errata/RHSA-2026:21756
- https://access.redhat.com/errata/RHSA-2026:30901
- https://access.redhat.com/errata/RHSA-2026:25381
- https://access.redhat.com/errata/RHSA-2026:25068
- https://access.redhat.com/errata/RHSA-2026:23419
- https://access.redhat.com/errata/RHSA-2026:23417
- https://access.redhat.com/errata/RHSA-2026:23418
- https://access.redhat.com/errata/RHSA-2026:21755
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.