Flatpak Arbitrary File Deletion Vulnerability

Vulnerability

Patched

A vulnerability in Flatpak versions prior to 1.16.4 allows applications to delete arbitrary files on the host system. This issue arises because the ld.so caching mechanism removes outdated cache files without properly verifying that the application-controlled path to these files is within the cache directory. As a result, Flatpak apps can manipulate files outside of their sandboxed environment.

Impact

Exploitation of this vulnerability enables Flatpak applications to delete any file on the host filesystem, potentially leading to data loss or system instability.

Remediation

Users can update to Flatpak version 1.16.4 or wait for the upcoming version 1.18.0, which will also include the patch.

Added: Apr 7, 2026, 10:48 PM

Updated: Apr 7, 2026, 10:48 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.8

exploitability

4.2

remediation

7.7

relevance

5.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

Flatpak Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Flatpak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating