Flatpak 1.16.4 patches a critical sandbox escape vulnerability (CVE-2026-34078) that allows an attacker to access the host filesystem and execute code in the host context. The update also addresses three other flaws, including CVE-2026-34079 for arbitrary file deletion and GHSA-2fxp-43j9-pwvc for arbitrary file read access within the system-helper context. Affected versions are those prior to 1.16.4, and users must upgrade to Flatpak version 1.16.4 to mitigate these risks.
Flatpak, a Linux application sandboxing and distribution framework, released version 1.16.4, patching four security vulnerabilities. The most severe fix addresses a complete sandbox escape that leads to host file access and code execution in the host context, tracked as CVE-2026-34078. File system exposure Two additional fixes address file system exposure on the host. CVE-2026-34079 prevents arbitrary file deletion on the host filesystem. GHSA-2fxp-43j9-pwvc prevents arbitrary read-access to files in the system-helper context. The fourth fix, … More → The post Flatpak 1.16.4 fixes sandbox escape and three other security flaws appeared first on Help Net Security .