{"id":"DEBIAN-CVE-2026-34079","details":"Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps  to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.","modified":"2026-04-28T20:31:40.164544Z","published":"2026-04-07T22:16:22.080Z","upstream":["CVE-2026-34079"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2026-34079"}],"affected":[{"package":{"name":"flatpak","ecosystem":"Debian:11","purl":"pkg:deb/debian/flatpak?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.10.2-3","1.10.3-0+deb11u1","1.10.3-0+deb11u1~bpo11+1","1.10.5-0+deb11u1","1.10.5-0+deb11u1~bpo10+1","1.10.7-0+deb11u1","1.10.7-0+deb11u1~bpo10+1","1.10.8-0+deb11u1","1.10.8-0+deb11u2","1.10.8-0+deb11u3","1.11.1-1","1.11.2-1","1.11.3-1","1.11.3-2","1.11~git20210413-1","1.11~git20210416.1-1","1.12.0-1","1.12.1-1","1.12.1-1~bpo11+1","1.12.2-1","1.12.2-1~bpo11+1","1.12.2-2","1.12.3-1","1.12.3-1~bpo11+1","1.12.4-1","1.12.4-1~bpo11+1","1.12.5-1","1.12.5-1~bpo11+1","1.12.6-1","1.12.6-1~bpo11+1","1.12.7-1","1.12.7-1~bpo11+1","1.13.1-1","1.13.2-1","1.13.3-1","1.13.3-2","1.14.0-1","1.14.0-1~bpo11+1","1.14.0-2","1.14.0-2~bpo11+1","1.14.1-1","1.14.1-1~bpo11+1","1.14.10-1","1.14.10-1~deb12u1","1.14.10-1~deb12u2","1.14.2-1","1.14.2-1~bpo11+1","1.14.3-1","1.14.3-1~bpo11+1","1.14.4-1","1.14.4-1~bpo11+1","1.14.4-2","1.14.5-1","1.14.6-1","1.14.6-1~deb13u1","1.14.8-1","1.14.8-1~deb12u1","1.15.0-1","1.15.0-2","1.15.1-1","1.15.10-1","1.15.12-1","1.15.2-1","1.15.3-1","1.15.4-1","1.15.6-1","1.15.7-1","1.15.8-1","1.15.9-1","1.15.91-1","1.16.0-1","1.16.0-2","1.16.0-2~bpo12+1","1.16.1-1","1.16.1-1~bpo12+1","1.16.1-2","1.16.1-3","1.16.2-1","1.16.2-1~deb13u1","1.16.3-1","1.16.3-1~deb13u1","1.16.4-1","1.16.4-2","1.16.5-1","1.16.6-1","1.16.6-1~deb13u1","1.16.6-1~deb13u1~bpo12+1","1.17.2-1","1.17.3-1","1.17.3-2","1.17.6-1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34079.json"}},{"package":{"name":"flatpak","ecosystem":"Debian:12","purl":"pkg:deb/debian/flatpak?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.14.10-1~deb12u2"}]}],"versions":["1.14.10-1~deb12u1","1.14.4-1","1.14.4-1+deb12u1","1.14.4-1+deb12u1~bpo11+1","1.14.4-2","1.14.5-1","1.14.6-1","1.14.6-1~deb13u1","1.14.8-1","1.14.8-1~deb12u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34079.json"}},{"package":{"name":"flatpak","ecosystem":"Debian:13","purl":"pkg:deb/debian/flatpak?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.6-1~deb13u1"}]}],"versions":["1.16.1-1","1.16.1-2","1.16.1-3","1.16.2-1","1.16.2-1~deb13u1","1.16.3-1","1.16.3-1~deb13u1","1.16.4-1","1.16.4-2","1.16.5-1","1.16.6-1~deb13u1~bpo12+1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34079.json"}},{"package":{"name":"flatpak","ecosystem":"Debian:14","purl":"pkg:deb/debian/flatpak?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.4-1"}]}],"versions":["1.16.1-1","1.16.1-2","1.16.1-3","1.16.2-1","1.16.2-1~deb13u1","1.16.3-1","1.16.3-1~deb13u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-34079.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}