Close Menu
    Tech Tools & Mobile / Apps

    Flatpak 1.16.4 patches a critical flaw that gave apps full host access

    adminBy No Comments2 Mins Read
    Flatpak 1.16.4 patches a critical flaw that gave apps full host access

    Summary

    • Flatpak 1.16.4 fixes a sandbox escape allowing host file access and code execution.
    • Also blocks arbitrary file deletion and read-access exploits in host and system-helper contexts.
    • Update Flatpak now (or wait for OS updates) to protect privacy and security.

    One of the biggest benefits of Flatpaks is how it puts apps into a container. It allows apps to ship with all of their dependencies and keeps them from altering your system files to install themselves, which are fantastic benefits; however, I’d argue the best reason to use Flatpaks is the privacy and security angle. You can control what a Flatpak can and cannot do through apps such as Flatseal, so your apps can’t access files or devices if you don’t want them to.

    Unfortunately, Flatpak suffered a nasty exploit that would allow apps to get full host access and potentially run code on a PC. The good news is that the newest version of Flatpak, 1.16.4, introduces a fix for this bug, so be sure to give it a download if you’re concerned about your security.

    A tablet running Pop OS with Distrobox being used to run the Arch version of VLC media player

    Linux distros can’t agree on how to install apps, but Distrobox makes that problem disappear

    Why limit yourself?

    Flatpak 1.16.4 fixes a nasty complete sandbox escape exploit

    Give Flatpak an update ASAP

    screenshot of mx linux flatpak support

    As reported by Linuxiac, Flatpak version 1.16.4 has just been published on the project’s GitHub. It contains a few fixes, but the most important one stops an exploit that allows code to escape the confines of the Flatpak container. This allows an app to grant itself host file access and execute code as a host, which is exactly the kind of security issue people use Flatpak to avoid in the first place.

    Here are the full patch notes:

    • Fix a complete sandbox escape which leads to host file access and code execution in the host context (CVE-2026-34078)
    • Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079)
    • Prevent arbitrary read-access to files in the system-helper context (GHSA-2fxp-43j9-pwvc)
    • Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg)

    If you use Flatpak and you’d prefer not to download the update via GitHub, keep your operating system updated. The update should arrive through your regular channels soon enough.

    TuxMate on Linux Mint desktop

    The Flatpak versus native packages debate finally made sense when I stopped looking for a winner

    It doesn’t have to be a winner-take-all debate. Using both changed how I manage Linux apps for the better.

    Share.

    Related Posts

    Add A Comment
    Leave A Reply