Critical Sandbox Escape in Flatpak (CVE‑2026‑34078) Patched in 1.16.4
What It Is – Flatpak 1.16.4 addresses four security flaws in the Linux sandboxing framework, the most severe being CVE‑2026‑34078, a complete sandbox escape that allows a malicious Flatpak app to read/write host files and execute code with host‑level privileges.
Exploitability – The escape vulnerability is fully functional and has been demonstrated in proof‑of‑concept code. No public exploit‑as‑a‑service is known, but the existence of working PoC makes it actively exploitable. CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – Flatpak ≤ 1.16.3 on any Linux distribution that uses the Flatpak runtime (desktop, server, and container‑host environments).
TPRM Impact –
- Third‑party Linux workloads that rely on Flatpak for application delivery could be compromised, exposing the host OS and any data it stores.
- Supply‑chain risk: a compromised Flatpak package could propagate malicious code to all downstream customers of a software vendor.
Recommended Actions –
- Immediately upgrade all Flatpak installations to version 1.16.4 or later.
- Verify the version on each endpoint with
flatpak --version. - Review recent Flatpak package installations for suspicious activity; re‑sign or replace any untrusted packages.
- Incorporate Flatpak version checks into your configuration‑management and vulnerability‑scanning pipelines.
- For high‑risk environments, consider temporary disabling Flatpak until the upgrade is verified.
Source: Help Net Security – Flatpak 1.16.4 released fixes sandbox escape