Skip to main content

Red Hat CVE-2026-34079

| EUVDEUVD-2026-19971 HIGH
Path Traversal (CWE-22)
2026-04-07 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
6.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 20:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.16.4
EUVD ID Assigned
Apr 07, 2026 - 22:16 euvd
EUVD-2026-19971
Analysis Generated
Apr 07, 2026 - 22:16 vuln.today
CVE Published
Apr 07, 2026 - 21:29 nvd
HIGH 8.7

DescriptionGitHub Advisory

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

AnalysisAI

Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.

Technical ContextAI

Flatpak is a Linux application sandboxing and distribution framework that isolates applications from the host system. The vulnerability resides in the dynamic linker (ld.so) caching mechanism, which maintains cached shared library information to accelerate application startup. During cache cleanup operations, Flatpak fails to properly validate that application-controlled file paths referencing outdated cache entries are confined to the designated cache directory. This represents a classic CWE-22 path traversal vulnerability where insufficient path canonicalization or boundary checking allows an attacker to use directory traversal sequences (e.g., '../') to reference files outside the intended cache directory. The affected component is the Flatpak runtime itself (cpe:2.3:a:flatpak:flatpak), which manages the sandbox environment and cache operations on behalf of contained applications.

RemediationAI

Organizations should immediately upgrade Flatpak to version 1.16.4 or later, which contains the fix for the path traversal vulnerability in ld.so cache file cleanup. The patch implements proper validation to ensure application-controlled paths remain within the designated cache directory before file deletion operations occur. System administrators can verify their current Flatpak version with 'flatpak --version' and update via their distribution's package manager (e.g., 'apt update && apt upgrade flatpak' on Debian/Ubuntu or 'dnf upgrade flatpak' on Fedora/RHEL). No effective workarounds exist that maintain Flatpak functionality, as the vulnerability is in the core caching mechanism. Review the official vendor advisory at https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp for additional technical details and distribution-specific guidance. Organizations running untrusted Flatpak applications should prioritize this update to prevent potential host system file deletion.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-34079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy