High severity7.5NVD Advisory· Published Apr 7, 2026· Updated Apr 17, 2026

CVE-2026-34079

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.

Affected products

Flatpak/Flatpak
cpe:2.3:a:flatpak:flatpak:*:*:*:*:*:*:*:*
Range: <1.16.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46ppnvdVendor Advisory

News mentions

Attackers replaced JDownloader installer downloads with malware
Malwarebytes Labs · May 15, 2026
JDownloader site hacked to replace installers with Python RAT malware
BleepingComputer · May 9, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000