Bug 2456276 (CVE-2026-34078)

Summary: CVE-2026-34078 flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. A malicious application could exploit this by using specially crafted symlinks within the sandbox-expose options of the Flatpak portal. This allows the application to access arbitrary host files and potentially achieve code execution on the host system, bypassing the intended security sandbox.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2456383, 2456384    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-07 22:01:32 UTC 
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
Comment 2 errata-xmlrpc 2026-05-28 17:25:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:21756 https://access.redhat.com/errata/RHSA-2026:21756
Comment 3 errata-xmlrpc 2026-05-28 17:31:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:21757 https://access.redhat.com/errata/RHSA-2026:21757
Comment 4 errata-xmlrpc 2026-05-28 17:39:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:21755 https://access.redhat.com/errata/RHSA-2026:21755
Comment 5 errata-xmlrpc 2026-06-04 18:21:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:23420 https://access.redhat.com/errata/RHSA-2026:23420
Comment 6 errata-xmlrpc 2026-06-04 18:23:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:23419 https://access.redhat.com/errata/RHSA-2026:23419
Comment 7 errata-xmlrpc 2026-06-04 18:26:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:23418 https://access.redhat.com/errata/RHSA-2026:23418
Comment 8 errata-xmlrpc 2026-06-04 18:32:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:23417 https://access.redhat.com/errata/RHSA-2026:23417
Comment 9 errata-xmlrpc 2026-06-10 13:07:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:25068 https://access.redhat.com/errata/RHSA-2026:25068
Comment 10 errata-xmlrpc 2026-06-11 19:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:25381 https://access.redhat.com/errata/RHSA-2026:25381