🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: openSUSE Tumbleweed

📖 ~4 min read  •  Source: SUSE advisory SUSE-SU-2026:1511-1 (see also SUSE bugzilla)

Related CVEs: CVE-2026-34078 CVE-2024-42472 CVE-2024-32462 CVE-2023-28100 CVE-2021-43860 CVE-2021-41133 CVE-2017-5226 CVE-2019-10063  +5 more

Upstream summary: Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On openSUSE Tumbleweed hosts that have flatpak installed, administrators report behaviour consistent with SUSE advisory SUSE-SU-2026:1511-1: zypper dup --dry-run shows pending rolling updates, services backed by flatpak fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever flatpak sits on the serving path.

Environment & Reproduction

Reproduction targets openSUSE Tumbleweed. Confirm release and installed package:

cat /etc/os-release
rpm -q flatpak
zypper info flatpak | head -20
zypper lr -E                              # enabled repositories

Trigger the workflow that exposes flatpak — multiple vulnerabilities (13 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u flatpak -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo journalctl -k | grep -i apparmor | tail -100
# Bundle evidence for SUSE / community support:
sudo supportconfig -R /var/tmp -B flatpak

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SU-2026:1511-1. openSUSE security maintainers shipped fixes in the corresponding flatpak update for openSUSE Tumbleweed; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep flatpak
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules
snapper list | tail -20         # snapshots taken around each zypper transaction

Quick Triage

Run these on openSUSE Tumbleweed to capture the current state of flatpak:

rpm -q flatpak                              # installed NVR
rpm -V flatpak                              # verify shipped files
sudo zypper ref                            # refresh repos
sudo zypper dup --dry-run                  # pending rolling updates
systemctl --failed --no-pager
sudo firewall-cmd --list-all
sudo aa-status                             # AppArmor profiles
# If flatpak ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i flatpak | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for flatpak and the system bus.

    sudo journalctl -u flatpak -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture (firewalld is the default on openSUSE).

    sudo firewall-cmd --list-all-zones --permanent
sudo nft list ruleset 2>/dev/null | head -50

  4. Surface AppArmor denials and switch the profile to complain mode if needed.

    sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
sudo aa-status
sudo aa-complain /etc/apparmor.d/usr.sbin.flatpak 2>/dev/null || true

  5. Verify flatpak integrity and reinstall if anything is altered.

    sudo rpm -V flatpak
sudo zypper verify
sudo zypper install --force flatpak

  6. Inspect Snapper snapshots to know exactly which transaction introduced the regression.

    sudo snapper list | tail -20
sudo snapper status <pre-id>..<post-id>

  7. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory SUSE-SU-2026:1511-1 to pin the change that introduced flatpak — multiple vulnerabilities (13 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SU-2026:1511-1, then reload affected systemd units:

sudo zypper ref                                      # refresh repos
# Tumbleweed is a rolling release — use 'dup', not 'patch':
sudo zypper dup --no-allow-vendor-change             # rolling distribution upgrade
# To target only the affected package while still on rolling:
sudo zypper dup --no-allow-vendor-change flatpak
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i flatpak | head
sudo systemctl restart flatpak
rpm -q flatpak                                          # confirm new NVR
systemctl is-active flatpak 2>/dev/null                 # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl rolls a reboot is required. Tumbleweed does not ship Live Patching, so plan a maintenance window or use Snapper to roll back if a regression appears:

sudo zypper ps -s                      # services using deleted libs
sudo snapper list | tail -5            # confirm pre/post snapshots exist
sudo systemctl reboot                  # or: sudo shutdown -r now

Need help rolling this patch across an openSUSE fleet? Our IT Solutions & Services team supports openSUSE Leap and Tumbleweed estates with snapper-backed rollback workflows and salt-driven patching. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary fix is not viable, choose from these:

  • Roll back via Snapper (Btrfs snapshots are taken automatically before zypper transactions on openSUSE Tumbleweed). This is the primary safety net for openSUSE administrators:

    sudo snapper list
sudo snapper status <pre-id>..<post-id>   # diff between two snapshot numbers
sudo snapper undochange <pre-id>..<post-id>
sudo snapper rollback <pre-id>            # boot the host into the chosen snapshot
sudo systemctl reboot

  • Lock the package so zypper cannot upgrade it:

    sudo zypper al flatpak                   # add lock
zypper ll | grep flatpak                 # list locks
sudo zypper rl flatpak                   # remove lock

  • Install an older NVR if a regression is suspected:

    zypper se -s flatpak                     # show all available versions
sudo zypper install --oldpackage flatpak-<older-NVR>

  • Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

    sudo aa-disable /etc/apparmor.d/usr.sbin.flatpak
# reproduce, capture denials in the journal:
sudo journalctl -k | grep apparmor | tail
sudo aa-enforce /etc/apparmor.d/usr.sbin.flatpak

  • Pin Tumbleweed to a known-good snapshot from the openSUSE history server while you investigate. This keeps the rolling release reproducible across a fleet:

    # Edit /etc/zypp/repos.d/repo-oss.repo and point baseurl at
#   http://download.opensuse.org/history/<YYYYMMDD>/tumbleweed/repo/oss/
sudo zypper ref
sudo zypper dup --no-allow-vendor-change

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q flatpak                                            # expected fixed NVR
sudo zypper dup --dry-run                                # no pending rolls expected
systemctl is-active flatpak 2>/dev/null
sudo journalctl -u flatpak --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for flatpak — multiple vulnerabilities (13 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change. On openSUSE, Snapper is the canonical rollback path:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-flatpak'   # explicit named snapshot
sudo snapper list | head

To revert if the patch / roll is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper list
sudo snapper rollback <pre-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage flatpak-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart flatpak
# Custom AppArmor profile cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.flatpak

Prevention & Hardening

Reduce the chance of this recurring on openSUSE Tumbleweed:

  • Run rolling upgrades on a schedule — Tumbleweed receives a snapshot most weekdays. Stagger across the fleet so any regression is caught early:

    sudo zypper ref
sudo zypper dup --no-allow-vendor-change
# Optional: drive from salt/ansible with a maintenance window per host group.

  • Subscribe to opensuse-security-announce and watch suse.com/support/update.

  • Lock sensitive packages so they cannot be auto-upgraded:

    sudo zypper al flatpak

  • Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction. This is the cornerstone of safe openSUSE patching:

    sudo snapper -c root get-config | head
# Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin
sudo snapper list | tail -10

  • Monitor file integrity with AIDE:

    sudo zypper install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

  • Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

  • Apply CIS / openSUSE hardening guidance and use salt or ansible to enforce baseline state across the fleet.

Issues that commonly surface alongside flatpak — multiple vulnerabilities (13 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo snapper list | tail

View all opensuse-tumbleweed tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SU-2026:1511-1 (see also SUSE bugzilla). Manual pages useful on openSUSE Tumbleweed:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status

Other resources: openSUSE documentation, suse.com/security, openSUSE security portal, and per-package notes in /usr/share/doc/packages/flatpak/ for components implicated in flatpak — multiple vulnerabilities (13 CVEs) — patch and remediation guide.


View all openSUSE Tumbleweed tutorials on the Tutorials Hub →