Flatpak 1.16.4 Drops Security Bombs: Sandbox Escapes and Host File Deletion Vulnerabilities Exposed
Flatpak 1.16.4 is necessary to patch critical vulnerabilities: CVE-2026-34078 and CVE-2026-34079. The 1.16.4 update specifically fixes a sandbox escape and prevents arbitrary host file deletion.
Discussion centers on the nature of these flaws. KarnaSubarna detailed the root cause: the portal allowing app-controlled symlinks in `sandbox-expose` options, enabling host code execution. Another critical flaw was inadequate checks in `ld.so` caching, allowing file deletion on the host filesystem. On the defense side, DeltaWingDragon questioned the interplay between AppArmor and Flatpak's native sandboxing, asking if AppArmor would clash with existing protections.
The consensus demands the update for security. The primary fault line remains the layered security model; users are still uncertain how AppArmor integrates with the already robust Flatpak sandboxes.
Key Points
Flatpak 1.16.4 patches CVE-2026-34078 via symlink exploitation.
KarnaSubarna confirms the fix addresses sandbox escape through app-controlled symlinks in `sandbox-expose` options.
The vulnerability allowed host file deletion via weak caching mechanisms.
KarnaSubarna notes that CVE-2026-34079 is fixed due to insufficient checks in `ld.so` caching.
Sandbox escape is severe, permitting host code execution.
cm0002 flagged the danger, stating apps could execute code in the host context by manipulating exposed paths.
AppArmor interaction with Flatpak sandboxes is a sticking point.
DeltaWingDragon specifically questioned whether AppArmor policies would negatively interact with or fail to secure applications already contained by Flatpak.
Source Discussions (5)
This report was synthesized from the following Lemmy discussions, ranked by community score.