CVE-2026-40354

Опубликовано: 11 апр. 2026

Источник: redhat

CVSS3: 6.1

EPSS Низкий

Описание

A flaw was found in Flatpak xdg-desktop-portal. A malicious Flatpak application can exploit this vulnerability by performing a symbolic link (symlink) attack on the g_file_trash function. This allows the Flatpak application to delete any file on the host system, leading to a denial of service.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 10	xdg-desktop-portal	Fix deferred
Red Hat Enterprise Linux 7	xdg-desktop-portal	Fix deferred
Red Hat Enterprise Linux 8	xdg-desktop-portal	Fix deferred
Red Hat Enterprise Linux 9	xdg-desktop-portal	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-59

https://bugzilla.redhat.com/show_bug.cgi?id=2457541flatpak: xdg-desktop-portal: Flatpak xdg-desktop-portal: File deletion via symlink attack

EPSS

Процентиль: 3%

0.00014

Низкий

6.1 Medium

CVSS3

Связанные уязвимости

CVE-2026-40354

CVSS3: 2.9

ubuntu

2 дня назад

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

CVE-2026-40354

CVSS3: 2.9

nvd

4 дня назад

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

CVE-2026-40354

CVSS3: 2.9

debian

4 дня назад

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allo ...

GHSA-v5fw-rcv7-v6f3

CVSS3: 2.9

github

4 дня назад

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.

EPSS

Процентиль: 3%

0.00014

Низкий

6.1 Medium

CVSS3