Alpine: multiple flatpak packages: security update to 1.16.4-r0

critical Tenable Self-Hosted Container Security Plugin ID 440037

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal
accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary
paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files
and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in
1.16.4. (CVE-2026-34078)

- Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for
ld.so removes outdated cache files without properly checking that the app controlled path to the outdated
cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This
vulnerability is fixed in 1.16.4. (CVE-2026-34079)

Solution

Update the flatpak library and its related packages to version 1.16.4-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-34078

https://security.alpinelinux.org/vuln/CVE-2026-34079

Plugin Details

Severity: Critical

ID: 440037

Version: Revision 1.7

Type: Local

Published: 4/8/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.8

Percentile: 99.33

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-34078

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/7/2026

Reference Information

CVE: CVE-2026-34078, CVE-2026-34079