oss-sec mailing list archives

Re: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context

From: Simon McVittie <smcv () debian org>
Date: Thu, 9 Apr 2026 09:54:54 +0100

On Thu, 09 Apr 2026 at 02:32:56 +0200, Solar Designer wrote:

Arbitrary read-access to files in the system-helper context

...

A malicious user can get read-access to files in the system-helper
context if a system OCI repository is configured.

We weren't sure whether this one is even a vulnerability, and onlyhandled it like a vulnerability out of an abundance of caution, hencethe lack of CVE ID. I can't think of a real-world situation where therewould be files that are readable by the unprivileged system uid that isused by the flatpak-system-helper process ("_flatpak" on Debian/Ubuntu,or some similar name on other distros), but not readable by the user whois running flatpak.


    smcv

Current thread:

4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context Solar Designer (Apr 08)
- Re: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context Simon McVittie (Apr 09)