प्लेटफ़ॉर्म
linux
घटक
xdg-desktop-portal
में ठीक किया गया
1.20.4
1.21.1
CVE-2026-40354 is a security vulnerability affecting xdg-desktop-portal, a component facilitating sandboxed application access to system resources. This flaw allows malicious Flatpak applications to bypass sandboxing restrictions and permanently delete files within the host system's file structure through a symlink attack. The vulnerability impacts versions 0.0.0 through 1.21.1, and a fix is available in version 1.21.1.
The core of this vulnerability lies in the improper handling of symbolic links within the xdg-desktop-portal's trash functionality. A malicious Flatpak application can create a symbolic link pointing to a sensitive file on the host system. When the application attempts to 'trash' this symbolic link, the portal incorrectly interprets it as a request to delete the target file, effectively granting the application unauthorized deletion privileges. This could lead to data loss, system instability, or even privilege escalation if critical system files are targeted. The blast radius extends to any files accessible by the user running the Flatpak application.
This vulnerability was publicly disclosed on 2026-04-11. There is currently no indication of active exploitation campaigns targeting CVE-2026-40354. The CVSS score of 2.9 indicates a low severity, suggesting a relatively low probability of exploitation in the wild. No public proof-of-concept exploits have been released at the time of writing.
Users of Linux distributions utilizing Flatpak for application sandboxing are at risk, particularly those running versions of xdg-desktop-portal prior to 1.21.1. This includes users who rely on Flatpak for secure application deployment and those who have granted Flatpak applications broad permissions.
• linux / server:
find /path/to/flatpak/data -type l -print0 | xargs -0 ls -l | grep '^l' # Check for suspicious symlinks within Flatpak data directories
journalctl -f | grep -i 'xdg-desktop-portal' # Monitor portal logs for unusual activitydisclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-40354 is to upgrade xdg-desktop-portal to version 1.21.1 or later. If an immediate upgrade is not feasible due to compatibility issues or system constraints, consider implementing stricter sandboxing policies for Flatpak applications. This could involve limiting the permissions granted to applications or restricting their access to sensitive directories. While a direct WAF rule is unlikely, monitoring for unusual file deletion activity within the user's home directory could provide an early warning sign. After upgrading, verify the fix by attempting to trash a symbolic link pointing to a test file; the portal should refuse the operation.
Actualice xdg-desktop-portal a la versión 1.20.4 o superior, o a la versión 1.21.1 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de seguridad que permite a las aplicaciones Flatpak trastear archivos en el sistema host a través de un ataque de enlace simbólico. Asegúrese de actualizar todos los sistemas que utilicen xdg-desktop-portal.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40354 is a vulnerability in xdg-desktop-portal allowing Flatpak apps to delete host files via a symlink attack, impacting versions 0.0.0–1.21.1.
You are affected if you use xdg-desktop-portal versions 0.0.0 through 1.21.1 on a Linux system with Flatpak installed.
Upgrade xdg-desktop-portal to version 1.21.1 or later to resolve the vulnerability. Consider stricter Flatpak sandboxing policies as a temporary workaround.
There is currently no indication of active exploitation campaigns targeting CVE-2026-40354.
Refer to the official xdg-desktop-portal project website or relevant security mailing lists for the latest advisory information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।