Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN366 _____________________________________________________________________ DATE : 09/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running flatpak versions prior to 1.16.4. ===================================================================== https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp https://github.com/flatpak/flatpak/security/advisories/GHSA-2fxp-43j9-pwvc https://github.com/flatpak/flatpak/security/advisories/GHSA-89xm-3m96-w3jg _____________________________________________________________________ CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context Critical swick published GHSA-cc2q-qc34-jprg Apr 7, 2026 Package No package listed Affected versions <1.16.4 Patched versions 1.16.4 Description Impact Every Flatpak app is able to read and write arbitrary files on the host and execute code in the host context. Description The Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. Patches The issue has been patched in version 1.16.4 and will be patched in the upcoming version 1.18.0. Mitigations Disabling the Flatpak Portal mitigates the issue but can result in misbehaving apps. sudo systemctl --global mask flatpak-portal.service && systemctl --user stop flatpak-portal.service Credits Reported by Codean Labs Severity Critical CVE ID CVE-2026-34078 Weaknesses No CWEs _____________________________________________________________________ CVE-2026-34079: Arbitrary file deletion on the host filesystem Moderate swick published GHSA-p29x-r292-46pp Apr 7, 2026 Package No package listed Affected versions <1.16.4 Patched versions 1.16.4 Description Impact Every Flatpak app is able to delete arbitrary files on the host. Description The caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. Patches The issue has been patched in version 1.16.4 and will be patched in the upcoming version 1.18.0. Mitigations No know mitigation other than updating Credits Reported by Codean Labs Severity Moderate CVE ID CVE-2026-34079 Weaknesses No CWEs _____________________________________________________________________ Arbitrary read-access to files in the system-helper context Low swick published GHSA-2fxp-43j9-pwvc Apr 7, 2026 Package No package listed Affected versions <1.16.4 Patched versions 1.16.4 Description Impact A malicious user can get read-access to files in the system-helper context if a system OCI repository is configured. Description The OCI code paths in the system helper will follow symlinks when importing OCI images which are under the user's control. Patches The issue has been patched in version 1.16.4 and will be patched in the upcoming version 1.18.0. Mitigations Remove all OCI system remotes. Credits @smcv Severity Low CVE ID No known CVE Weaknesses No CWEs _____________________________________________________________________ flatpak-system-helper: cross-user CancelPull orphans another user's ongoing pull Low swick published GHSA-89xm-3m96-w3jg Apr 7, 2026 Package No package listed Affected versions <1.16.4 Patched versions 1.16.4 Description Impact Ongoing pulls cannot be stopped. Description By calling org.freedesktop.Flatpak.SystemHelper.CancelPull on another user's pull, the pull does not get cancelled but removed from internal tracking, making it impossible to stop it. Patches The issue has been patched in version 1.16.4 and will be patched in the upcoming version 1.18.0. Mitigations No known mitigation other than updating. Credits Asim Viladi Oglu Manizada Severity Low CVE ID No known CVE Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================