CVE-2026-34079
published 2026-04-07CVE-2026-34079: Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.32%
24.0th percentile
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | flatpak | < flatpak 1.16.4-1 (sid) | flatpak 1.16.4-1 (sid) |
| flatpak | flatpak | < 1.16.4 | 1.16.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34079: Flatpak is a Linux application sandboxing and distribution framework
osv·2026-04-07·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079: Flatpak is a Linux application sandboxing and distribution framework
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Red Hat
flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
vendor_redhat·2026-04-07·CVSS 8.7
CVE-2026-34079 [HIGH] CWE-22 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. The caching mechanism for ld.so (dynamic linker/loader) improperly removes outdated cache files without adequately verifying that the application-controlled path to the outdated cache is within the designated cache directory. This vulnerability allows Flatpak applications to delete arbitrary files on the host system, potentially leading to system instability or data loss.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability
Debian
CVE-2026-34079: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to 1...
vendor_debian·2026·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079: flatpak - Flatpak is a Linux application sandboxing and distribution framework. Prior to 1...
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: resolved (fixed in 1.16.4-1)
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-42]
bugzilla·2026-04-08·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-42]
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-2a3e305ac4 (flatpak-1.16.6-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2a3e305ac4
Bugzilla
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-43]
bugzilla·2026-04-08·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-43]
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-5286084b44 (flatpak-1.16.6-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5286084b44
Bugzilla
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
bugzilla·2026-04-07·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Wiz
CVE-2026-34079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34079 [HIGH] CVE-2026-34079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34079 :
Linux Debian vulnerability analysis and mitigation
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Source : NVD
## 8.7
Score
Published April 7, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Linux Debian
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.4
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
flatpak-selinux
flatpak-s
2026-04-07
Published