Flatpak, a system for sandboxed desktop applications on Linux, contains two vulnerabilities in Red Hat Enterprise Linux 9. CVE-2026-34078 involves arbitrary code execution through crafted symbolic links in the sandbox-expose options, while CVE-2026-34079 involves arbitrary file deletion on the host due to improper validation of cache file paths. These issues stem from weaknesses related to path handling (CWE-59 and CWE-22). Red Hat Product Security has rated the update as important and released patched Flatpak packages across multiple architectures and product variants. The advisory references updated RPM packages and provides links for applying the update. No CVSS scores are provided, and no exploits are currently known in the wild.

Successful exploitation of CVE-2026-34078 could allow an attacker to execute arbitrary code within the Flatpak sandbox environment, potentially leading to elevated privileges or unauthorized actions. CVE-2026-34079 could enable an attacker to delete arbitrary files on the host system, potentially disrupting system stability or causing data loss. Both vulnerabilities pose significant risks to system integrity and security if left unpatched. However, no known active exploitation has been reported to date.

Red Hat has released updated Flatpak packages addressing these vulnerabilities. Users should apply the security update for Flatpak on Red Hat Enterprise Linux 9 as detailed in Red Hat advisory RHSA-2026:21755 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. There is no indication from the vendor advisory that additional mitigation steps are required beyond applying the update.