Red Hat Product Errata RHSA-2026:21756 - Security Advisory Issued: 2026-05-28 Updated: 2026-05-28 RHSA-2026:21756 - Security Advisory Overview Updated Packages Synopsis Important: flatpak security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for flatpak is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es): flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options (CVE-2026-34078) flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation (CVE-2026-34079) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for IBM z Systems 8 s390x Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for ARM 64 8 aarch64 Red Hat CodeReady Linux Builder for x86_64 8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 s390x Fixes BZ - 2456276 - CVE-2026-34078 flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options BZ - 2456284 - CVE-2026-34079 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation CVEs CVE-2026-34078 CVE-2026-34079 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM flatpak-1.12.9-4.el8_10.src.rpm SHA-256: 79bf082d102eaff9c4695d477c038cf41d6a26dc2688c64c22510a8e14c390bd x86_64 flatpak-1.12.9-4.el8_10.x86_64.rpm SHA-256: 5a42098182e17d573c29842d39deba7489e51fe9f7d24958c8586afd9c36519a flatpak-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: 214447ded59f7b6d7ec4b9e9b6cb996038e9612a0d79da41112ab87357383e24 flatpak-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: 33218857dda7558039c9df7b18a5a5f2505f40d2c56e8c5d852d7d874628bf98 flatpak-debugsource-1.12.9-4.el8_10.i686.rpm SHA-256: 58807d85970ed1c4743249ce1a90982d4b49ea24667e847b7fe85b79289561c1 flatpak-debugsource-1.12.9-4.el8_10.x86_64.rpm SHA-256: 8524bc86b0414257e8a1424ad31b915f1985d74076887e6aebcd02a90c93d948 flatpak-libs-1.12.9-4.el8_10.i686.rpm SHA-256: 3b34b379b5475159e5bbf4a92b0a8c0178eb28a623ee100d0126a81e83e98979 flatpak-libs-1.12.9-4.el8_10.x86_64.rpm SHA-256: aa2f66d44c3bfcb43624e4f98eb06f8221e7103ac9a507af93b6c73d30d1cc52 flatpak-libs-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: f301223a13e500760ab08c96e68ba261358170d760bc73fd25e710b3c142c735 flatpak-libs-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: 8b20cac64dfe94c5dc69847226312eab2b47642d7f0849889617543e25e1bca3 flatpak-selinux-1.12.9-4.el8_10.noarch.rpm SHA-256: 588386ab5741227386048794bcbf31180b8830a58d2aef7c950dfa59dbb3c9e4 flatpak-session-helper-1.12.9-4.el8_10.x86_64.rpm SHA-256: 951faad0c3c1ac26d2820225462cbeca15fc76c52ea7d2a74084329b4600d657 flatpak-session-helper-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: 587f8b28b61263773c59a4d2eef1e9f791a2884baa5e906ce77ab9f9e395656a flatpak-session-helper-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: ed5c2aac0475b3edae1775e904c68a62566bb3150acdd68f2e3e49ea64e77f9e flatpak-tests-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: b0ba26713b8449034a88b0dd9f67bcf128ea6258cd416cd6146b5a22a12c1345 flatpak-tests-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: 868c7268132e7c3bc74141a35102548b7ea12a0c344a1c27ee6b35961529331d Red Hat Enterprise Linux for IBM z Systems 8 SRPM flatpak-1.12.9-4.el8_10.src.rpm SHA-256: 79bf082d102eaff9c4695d477c038cf41d6a26dc2688c64c22510a8e14c390bd s390x flatpak-1.12.9-4.el8_10.s390x.rpm SHA-256: b02c33a705d073d44c4856e50aaa5d1adfdacbd938cfc4bfb7e2c201c154e4fa flatpak-debuginfo-1.12.9-4.el8_10.s390x.rpm SHA-256: ef1d988b05c503c16d9299e830dba472189da826e160378cd6748ee5e9470838 flatpak-debugsource-1.12.9-4.el8_10.s390x.rpm SHA-256: 22b3ac8a29d207dd5547b58eb44780c43bf7659a6bb0ac79c4169517a3f827b7 flatpak-libs-1.12.9-4.el8_10.s390x.rpm SHA-256: eb33da203853e7f9d6de8bb2c811a3a0f19a26d460dc5d0b687e0fad55355548 flatpak-libs-debuginfo-1.12.9-4.el8_10.s390x.rpm SHA-256: f3cea1c351eb4219ddef4acb61df44c0b488a4913109dc715a14441c9f6a4c9d flatpak-selinux-1.12.9-4.el8_10.noarch.rpm SHA-256: 588386ab5741227386048794bcbf31180b8830a58d2aef7c950dfa59dbb3c9e4 flatpak-session-helper-1.12.9-4.el8_10.s390x.rpm SHA-256: aa6112a12b94505bac899a432bf3f74a58e179bfb4ea747316d62cf2cb0e4b73 flatpak-session-helper-debuginfo-1.12.9-4.el8_10.s390x.rpm SHA-256: 30e1959eef9e2609dc6369d4cc75d7b4b6b3818f0895d33713a375eb36ae456b flatpak-tests-debuginfo-1.12.9-4.el8_10.s390x.rpm SHA-256: 4ed34d7608d93e2afbadcf11214c660aff456c121a976bd5eb2ead96a3fb58c2 Red Hat Enterprise Linux for Power, little endian 8 SRPM flatpak-1.12.9-4.el8_10.src.rpm SHA-256: 79bf082d102eaff9c4695d477c038cf41d6a26dc2688c64c22510a8e14c390bd ppc64le flatpak-1.12.9-4.el8_10.ppc64le.rpm SHA-256: 6f689da2fd95aad200f648792b1d96ab64245d909f1406bfe1ceddcae67b2dfa flatpak-debuginfo-1.12.9-4.el8_10.ppc64le.rpm SHA-256: 373d42ee8b9e8c06c867d9a3b14f4b75f711d349a4feb0df96f6209408009ff0 flatpak-debugsource-1.12.9-4.el8_10.ppc64le.rpm SHA-256: c038cbf11472ce51b6caccf9145b97a209d0a2077cd0a985304e994c4f82f3ea flatpak-libs-1.12.9-4.el8_10.ppc64le.rpm SHA-256: c33301c130661dcb55923bef0c700e8c264d2b710aa3ab197200bc88aa2f5306 flatpak-libs-debuginfo-1.12.9-4.el8_10.ppc64le.rpm SHA-256: dc0764da9aca8e212ab2e0b53f84fe64c0eb399ef89b451d956e2aa307481b77 flatpak-selinux-1.12.9-4.el8_10.noarch.rpm SHA-256: 588386ab5741227386048794bcbf31180b8830a58d2aef7c950dfa59dbb3c9e4 flatpak-session-helper-1.12.9-4.el8_10.ppc64le.rpm SHA-256: fe9ca8e2126a404eb577c1a08d8671d7f5f55e467a5b4a2889ff9095c24e1508 flatpak-session-helper-debuginfo-1.12.9-4.el8_10.ppc64le.rpm SHA-256: 0697670a0e65bbe92dc784348f70c573d1bce74e4bf0ba0c5ae92001cfdba807 flatpak-tests-debuginfo-1.12.9-4.el8_10.ppc64le.rpm SHA-256: b1bcb8174ce15df0c9eab150b53cff237349d629ec5159d3167b000c265d7397 Red Hat Enterprise Linux for ARM 64 8 SRPM flatpak-1.12.9-4.el8_10.src.rpm SHA-256: 79bf082d102eaff9c4695d477c038cf41d6a26dc2688c64c22510a8e14c390bd aarch64 flatpak-1.12.9-4.el8_10.aarch64.rpm SHA-256: 78f9939ad381b6af42e8570144207cc4d2ecf9cfd24efd3d88cd8f5f2a71bbd6 flatpak-debuginfo-1.12.9-4.el8_10.aarch64.rpm SHA-256: de9f8cedef20472fe0e0470f3bd9b075c4f942a92e5e0d86bf4a84ecc9434930 flatpak-debugsource-1.12.9-4.el8_10.aarch64.rpm SHA-256: fbdb57fa667b5dc4a07f0803b708658ac74d7c7d95885d7d9648a50f4300aded flatpak-libs-1.12.9-4.el8_10.aarch64.rpm SHA-256: 775f7d15f3daa43e1de05286b891e547da8ef801d23e690108df146b27431fb9 flatpak-libs-debuginfo-1.12.9-4.el8_10.aarch64.rpm SHA-256: a8894d0348b3fa3f83ddbfe638189e5c18ea46ebce8f3be6740818fece0f975a flatpak-selinux-1.12.9-4.el8_10.noarch.rpm SHA-256: 588386ab5741227386048794bcbf31180b8830a58d2aef7c950dfa59dbb3c9e4 flatpak-session-helper-1.12.9-4.el8_10.aarch64.rpm SHA-256: 9f6a8040fd94e8a16521c0acaa76fecd26b5235d4c0e314ca555f1ee359954b6 flatpak-session-helper-debuginfo-1.12.9-4.el8_10.aarch64.rpm SHA-256: f8318482a6029826a0a04d4dc057703bde35fb215d441d078b6eb5165c10e277 flatpak-tests-debuginfo-1.12.9-4.el8_10.aarch64.rpm SHA-256: 8ea09aff82fdea77aa0e914650bb5e4a14a5a5b56cef48ebab3c5a40e099dee6 Red Hat CodeReady Linux Builder for x86_64 8 SRPM x86_64 flatpak-1.12.9-4.el8_10.i686.rpm SHA-256: d8ea16cd1e8f1fe50e6cab34bb5142b11e833d57c9d2de2f862f934c2136e2d1 flatpak-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: 214447ded59f7b6d7ec4b9e9b6cb996038e9612a0d79da41112ab87357383e24 flatpak-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: 33218857dda7558039c9df7b18a5a5f2505f40d2c56e8c5d852d7d874628bf98 flatpak-debugsource-1.12.9-4.el8_10.i686.rpm SHA-256: 58807d85970ed1c4743249ce1a90982d4b49ea24667e847b7fe85b79289561c1 flatpak-debugsource-1.12.9-4.el8_10.x86_64.rpm SHA-256: 8524bc86b0414257e8a1424ad31b915f1985d74076887e6aebcd02a90c93d948 flatpak-devel-1.12.9-4.el8_10.i686.rpm SHA-256: fdd28c01aaf5ba609abfeae3cb11a381e5ff0ea74e192f3961115379351b501b flatpak-devel-1.12.9-4.el8_10.x86_64.rpm SHA-256: 1394719019961b318d1300c2153f5ba004d888c9665c4a8dd9587159792d12d9 flatpak-libs-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: f301223a13e500760ab08c96e68ba261358170d760bc73fd25e710b3c142c735 flatpak-libs-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: 8b20cac64dfe94c5dc69847226312eab2b47642d7f0849889617543e25e1bca3 flatpak-session-helper-1.12.9-4.el8_10.i686.rpm SHA-256: be99949b3cf1479a68af87fee413f19ca214c714eed6352999342eb9b46f49c5 flatpak-session-helper-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: 587f8b28b61263773c59a4d2eef1e9f791a2884baa5e906ce77ab9f9e395656a flatpak-session-helper-debuginfo-1.12.9-4.el8_10.x86_64.rpm SHA-256: ed5c2aac0475b3edae1775e904c68a62566bb3150acdd68f2e3e49ea64e77f9e flatpak-tests-debuginfo-1.12.9-4.el8_10.i686.rpm SHA-256: b0ba26713b8449034a88b0dd9f67bcf128ea6258cd416cd6146b5a22a12c1345 flatpak-tests-debuginfo-1.12.9-4.el