SB20260424121 - Anolis OS update for flatpak

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) UNIX symbolic link following (CVE-ID: CVE-2024-42472)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue when mounting persistent directories. A local user can create a specially crafted symbolic link and escape sandbox.

2) Improper access control (CVE-ID: CVE-2026-34078)

The vulnerability allows a remote attacker to execute code in the host context.

The vulnerability exists due to improper access control in the Flatpak portal and flatpak run when processing sandbox-expose options containing app-controlled symlinks. A remote attacker can supply a crafted path to gain access to arbitrary host files and execute code in the host context.

The issue enables sandbox escape from a Flatpak app to the host environment.

3) Path traversal (CVE-ID: CVE-2026-34079)

The vulnerability allows a local user to delete arbitrary files on the host filesystem.

The vulnerability exists due to improper path validation in ld.so cache file caching when removing outdated cache files. A local user can control the path to an outdated cache file to delete arbitrary files on the host filesystem.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2026:0522