An update for flatpak is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2590 Final 1.0 1.0 2026-06-05 Initial 2026-06-05 2026-06-05 openEuler SA Tool V1.0 2026-06-05 flatpak security update An update for flatpak is now available for openEuler-24.03-LTS-SP1 flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information. Security Fix(es): Every Flatpak app is able to read and write arbitrary files on the host and execute code in the host context, resulting in a sandbox escape vulnerability.(CVE-2026-34078) Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.(CVE-2026-34079) An update for flatpak is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical flatpak https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2590 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34078 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34079 https://nvd.nist.gov/vuln/detail/CVE-2026-34078 https://nvd.nist.gov/vuln/detail/CVE-2026-34079 openEuler-24.03-LTS-SP1 flatpak-1.10.2-12.oe2403sp1.aarch64.rpm flatpak-debuginfo-1.10.2-12.oe2403sp1.aarch64.rpm flatpak-debugsource-1.10.2-12.oe2403sp1.aarch64.rpm flatpak-devel-1.10.2-12.oe2403sp1.aarch64.rpm flatpak-1.10.2-12.oe2403sp1.src.rpm flatpak-1.10.2-12.oe2403sp1.x86_64.rpm flatpak-debuginfo-1.10.2-12.oe2403sp1.x86_64.rpm flatpak-debugsource-1.10.2-12.oe2403sp1.x86_64.rpm flatpak-devel-1.10.2-12.oe2403sp1.x86_64.rpm flatpak-help-1.10.2-12.oe2403sp1.noarch.rpm Every Flatpak app is able to read and write arbitrary files on the host and execute code in the host context, resulting in a sandbox escape vulnerability. 2026-06-05 CVE-2026-34078 openEuler-24.03-LTS-SP1 Critical 9.3 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X flatpak security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2590 Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4. 2026-06-05 CVE-2026-34079 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N flatpak security update 2026-06-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2590