Flatpak 1.16.4 fixes sandbox escape and three other security flaws
Help Net SecurityArchived Apr 08, 2026✓ Full text saved
Flatpak, a Linux application sandboxing and distribution framework, released version 1.16.4, patching four security vulnerabilities. The most severe fix addresses a complete sandbox escape that leads to host file access and code execution in the host context, tracked as CVE-2026-34078. File system exposure Two additional fixes address file system exposure on the host. CVE-2026-34079 prevents arbitrary file deletion on the host filesystem. GHSA-2fxp-43j9-pwvc prevents arbitrary read-access to fil
Full text archived locally
✦ AI Summary· Claude Sonnet
Anamarija Pogorelec, Managing Editor, Help Net Security
April 8, 2026
Share
Flatpak 1.16.4 fixes sandbox escape and three other security flaws
Flatpak, a Linux application sandboxing and distribution framework, released version 1.16.4, patching four security vulnerabilities.
The most severe fix addresses a complete sandbox escape that leads to host file access and code execution in the host context, tracked as CVE-2026-34078.
File system exposure
Two additional fixes address file system exposure on the host. CVE-2026-34079 prevents arbitrary file deletion on the host filesystem. GHSA-2fxp-43j9-pwvc prevents arbitrary read-access to files in the system-helper context.
The fourth fix, tracked as GHSA-89xm-3m96-w3jg, prevents orphaning of cross-user pull operations.
The release is available on the Flatpak GitHub repository. Administrators running Flatpak should update to 1.16.4.
More about
Linux
security update
software
Share