Flatpak Sandbox Escape Vulnerability Allowing Host File Access and Code Execution

A critical vulnerability in Flatpak prior to version 1.16.4 allows applications to escape the sandbox and access host files, with the potential for executing code in the host context. This issue arises because the Flatpak portal's 'sandbox-expose' options can accept app-controlled symlinks that point to arbitrary paths. When these paths are resolved, Flatpak mounts the corresponding host files in the sandbox, granting apps unrestricted access to the host's file system.

Impact

Exploitation of this vulnerability allows any Flatpak application to read and write arbitrary files on the host system and execute code in the host environment.

Remediation

Users can update to Flatpak version 1.16.4 or later to address this vulnerability. In the upcoming version 1.18.0, this issue will also be patched. As a temporary measure, the Flatpak Portal can be disabled, although this may cause some applications to misbehave.