Flatpak, a universal Linux packaging system for distributing desktop applications in sandboxed environments, has released version 1.16.4, the fourth bugfix update in the 1.16 series. This release addresses four vulnerabilities, including one described as a complete sandbox escape.
The most serious issue, CVE-2026-34078, could allow host file access and code execution from within the sandbox. Flatpak 1.16.4 also resolves CVE-2026-34079, which could result in arbitrary file deletion on the host filesystem.
Additionally, the update addresses a flaw that could allow an attacker to read certain files on the host through Flatpak’s system helper and fixes a flaw in which one user could break tracking for another user’s ongoing app download, leaving it running without a proper way to stop it.
Due to the severity of these vulnerabilities, especially the sandbox escape flaw, users and distributions should upgrade to Flatpak 1.16.4 as soon as updates are available.
For more information, see the changelog.
