oss-security - Re: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code execution in the host context

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <addpXtrgdf1Dcqkg@definition.pseudorandom.co.uk>
Date: Thu, 9 Apr 2026 09:54:54 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: 4 security fixes in Flatpak, including critical
 CVE-2026-34078: Complete sandbox escape leading to host file access and code
 execution in the host context

On Thu, 09 Apr 2026 at 02:32:56 +0200, Solar Designer wrote:
>> Arbitrary read-access to files in the system-helper context
...
>> A malicious user can get read-access to files in the system-helper
>> context if a system OCI repository is configured.

We weren't sure whether this one is even a vulnerability, and only 
handled it like a vulnerability out of an abundance of caution, hence 
the lack of CVE ID. I can't think of a real-world situation where there 
would be files that are readable by the unprivileged system uid that is 
used by the flatpak-system-helper process ("_flatpak" on Debian/Ubuntu, 
or some similar name on other distros), but not readable by the user who 
is running flatpak.

     smcv

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.