CVE-2026-34079
Published: 07 April 2026
Summary
CVE-2026-34079 is a high-severity Path Traversal (CWE-22) vulnerability in Flatpak Flatpak. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in Flatpak prior to version 1.16.4, directly eliminating the path traversal vulnerability as recommended in the advisory.
Mandates validation of application-controlled paths in the ld.so caching mechanism to ensure they reside within the designated cache directory, preventing arbitrary host file deletion.
Enforces organizational policies to restrict or monitor user-installed Flatpak applications, blocking execution of malicious apps that exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal in Flatpak's ld.so cache allows a malicious sandboxed app to delete arbitrary host files (T1070.004 File Deletion); exploitation requires user execution of the malicious Flatpak application (T1204.002 Malicious File).
NVD Description
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak…
more
apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
Deeper analysisAI
CVE-2026-34079 is a path traversal vulnerability (CWE-22) in Flatpak, a Linux application sandboxing and distribution framework. Versions prior to 1.16.4 contain a flaw in the ld.so caching mechanism, where outdated cache files are removed without properly verifying that the application-controlled path resides within the designated cache directory. This defect enables Flatpak applications to delete arbitrary files on the host system, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The vulnerability can be exploited by any attacker who can convince a user to install and run a malicious Flatpak application, requiring no special privileges or user interaction beyond execution. Successful exploitation grants the ability to delete any file on the host filesystem outside the sandbox, potentially disrupting system operations, corrupting data, or facilitating further attacks such as persistence or lateral movement.
The official advisory from the Flatpak GitHub security page (GHSA-p29x-r292-46pp) confirms the issue and states that it is fully resolved in Flatpak version 1.16.4, recommending immediate upgrades for all affected installations to mitigate the risk.
Details
- CWE(s)