Fedora 43 Flatpak 1.16.6 Critical Code Execution and File Deletion
fedora
April 14, 2026
Update to 1.16.6 Fixes for CVE-2026-34078, CVE-2026-34079, GHSA-2fxp-43j9-pwvc and GHSA-89xm-3m96-w3jg
Summary
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.
Update Information:
Update to 1.16.6 Fixes for CVE-2026-34078, CVE-2026-34079, GHSA-2fxp-43j9-pwvc and GHSA-89xm-3m96-w3jg
Topics Covered
Change Log
* Fri Apr 10 2026 Michael Catanzaro
References
[ 1 ] Bug #2456384 - CVE-2026-34078 flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2456384 [ 2 ] Bug #2456395 - CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2456395
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-5286084b44' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Name: flatpak
Product: Fedora 43
Version: 1.16.6
Release: 1.fc43
URL: https://flatpak.org/
Summary: Application deployment framework for desktop apps
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!