Anonymizing Linux: Emergency update to Tails 7.6.2 closes Flatpak vulnerability

The maintainers of the Linux distribution Tails for anonymous internet browsing have released an emergency update. Tails 7.6.2 closes a security vulnerability in Flatpak.

In the version announcement, the Tails developers explain that they have updated the Flatpak package to version 1.16.6. This closes a security vulnerability that allows breaking out of a sandbox with access to arbitrary files on the host and consequently executing code in the host context (CVE-2026-34078, CVSS4 9.3, risk “critical”; already closed in Flatpak 1.16.4).

The Tails maintainers explain that attackers could use this vulnerability to break out of the Tor Browser's security environment and access all files that do not require an admin password for access. This includes the persistent storage. They also point out that to exploit the vulnerability, malicious actors must first exploit another vulnerability that gives them control over the Tor Browser.

Updated Software

There are no other noteworthy changes in Tails 7.6.2. However, users of the Linux distribution who use it to start a protected environment for anonymous web surfing on foreign computers, for example, should update the software. Otherwise, users run the risk that attackers, such as state actors in censorship-practicing regimes, could circumvent the security mechanisms and thus sniff sensitive information from persistent storage and current Tor sessions without authorization and use it against users, for example.

Updated images are available for download for creating bootable USB sticks, burning to DVDs, or for use in VMs in ISO format. Just a week ago, the Tails project released an emergency update to version 7.6.1. In it, the developers closed a security vulnerability in the Tor Browser.

(dmk)