Package: flatpak
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
Flatpak older than 1.16.4 has an issue in which the caching for
ld.so removes outdated cache files without properly checking that the
app-controlled path to the outdated cache is in the cache directory. A
malicious or compromised Flatpak app could use this to delete arbitrary
files on the host system, a denial of service vulnerability (denying
availability).
I think we should fix this in the same batch as the much more serious
CVE-2026-34078.
Thanks,
smcv
