cvedb.io
CVE-2026-34079
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-07T22:16:22.080 · Last modified 2026-06-17T10:38:31.783

Summary

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Affected products

flatpak — flatpak

Does this affect you?

Add your gear to cvedb and we'll alert you only when flatpak ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.