cvedb.io
CVE-2024-42472
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2024-08-15T19:15:19.233 · Last modified 2026-06-17T07:49:30.987

Summary

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aw

Affected products

flatpak — flatpak

Does this affect you?

Add your gear to cvedb and we'll alert you only when flatpak ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.