First up with Flatpak 1.16.4 is a fix for CVE-2026-34078, which is a security issue allowing a complete sandbox escape leading to host file access and code execution in the host context. Ouch. The issue is due to Flatpak portal accepting paths in the sandbox-expose options that can be app-controlled symlinks pointing at arbitrary paths. Due to this apps can access all host files and can be used as a primitive for gaining code execution in the host context. Disabling Flatpak Portal is another way to workaround this issue but can cause app problems.

CVE-2026-34079 is also fixed and is for preventing arbitrary file deletion on the host file-system. CVE-2026-34079 stems from caching for ld.so removing outdated cache files without checking that the app controlled path to the outdated cache is in the cache directory.

How to check if you are impacted

To get the version of the sudo package installed, run the following command:

dpkg -l 'sudo*' | grep ^ii

The following table lists the fixed versions of the sudo package in all supported Ubuntu releases:

Release	Package	Fixed version
Questing Quokka (25.10)	sudo	1.9.17p2-1ubuntu1.1
	sudo-ldap	1.9.17p2-1ubuntu1.1
	sudo-rs	Not affected
Noble Numbat (24.04 LTS)	sudo	1.9.15p5-3ubuntu5.24.04.2
	sudo-ldap	1.9.15p5-3ubuntu5.24.04.2
Jammy Jellyfish (22.04 LTS)	sudo	1.9.9-1ubuntu2.6
	sudo-ldap	1.9.9-1ubuntu2.6
Focal Fossa (20.04 LTS)	sudo	Not affected
	sudo-ldap	Not affected
Bionic Beaver (18.04 LTS)	sudo	Not affected
	sudo-ldap	Not affected
Xenial Xerus (16.05 LTS)	sudo	Not affected
	sudo-ldap	Not affected
Trusty Tahr (14.04 LTS)	sudo	Not affected
	sudo-ldap	Not affected

Affected sudo versions

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the sudo userspace mitigations can be installed directly and does not require a reboot to apply:

sudo apt update
sudo apt install sudo

The unattended-upgrades feature is enabled by default for Ubuntu Xenial Xerus (16.04 LTS) onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Distro developers began discussing ways to reduce the size of firmware updates last year. Now, in Ubuntu 26.04, it’s introducing meta-packaging to spread Linux firmware across 17 smaller packages in the resolute archives. This resolves a bug filed in 2022.

The sub-packages are:

• linux-firmware-mellanox-spectrum
• linux-firmware-intel-wireless
• linux-firmware-intel-graphics
• linux-firmware-amd-graphics
• linux-firmware-nvidia-graphics
• linux-firmware-intel-misc
• linux-firmware-broadcom-wireless
• linux-firmware-netronome
• linux-firmware-misc
• linux-firmware-qlogic
• linux-firmware-marvell-wireless
• linux-firmware-mediatek
• linux-firmware-marvell-prestera
• linux-firmware-realtek
• linux-firmware-qualcomm-wireless
• linux-firmware-qualcomm-graphics
• linux-firmware-qualcomm-misc

La Suite Meet: https://github.com/suitenumerique/meet

According to complaints filed this Monday in Texas state courts, the TV makers can allegedly use ACR technology to capture screenshots of television displays every 500 milliseconds, monitor the users' viewing activity in real time, and send this information back to the companies' servers without the users' knowledge or consent.

https://system76.com/pop/download/

Release Notes

• Pop!_OS 24.04 LTS includes the new COSMIC Desktop Environment, designed and developed by System76.

• Some GNOME apps are replaced by COSMIC apps

  • GNOME Files (Nautilus) > COSMIC Files
  • GNOME Terminal > COSMIC Terminal
  • GNOME Text Editor > COSMIC Text Editor
  • GNOME Media Player (Totem) > COSMIC Media Player

• Pop!_Shop is replaced by COSMIC Store

• Key components

  • COSMIC Epoch 1
  • Linux kernel 6.17.9
  • Mesa 25.1.5-1
  • NVIDIA Driver 580

• Some games may start partially off-screen. Press F11 or Super+F11 to fullscreen the game

• Display toggle hotkeys and an on-screen display is not supported yet

• COSMIC has a built-in screenshot tool. If you require annotations, we recommend Flameshot, which can be installed from Flathub via COSMIC Store. Version 13.1 or higher is required for COSMIC

• COSMIC is not currently optimized for touch devices. An on-screen-keyboard is in development.

• The COSMIC Desktop will be continuously updated with new features and improvements after release

• Kernels and hardware support are continuously updated in Pop!_OS

• You can follow COSMIC DE feature and improvement progress on the project board

https://github.com/iDescriptor/iDescriptor

Currently it supports AppImage, but Flatpak version will possibly be available in future: https://github.com/iDescriptor/iDescriptor/issues/1

The researchers from the University of Vienna and SBA Research used WhatsApp's contact-discovery feature, which lets you submit a phone number to the platform's GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.

Without strict rate limiting, APIs like this can be abused to perform large-scale enumeration across a platform.

The researchers found this to be the case with WhatsApp, as they were able to send a high volume of queries directly to WhatsApp's servers, checking more than 100 million numbers per hour.

They ran the entire operation from a single university server using just five authenticated sessions, initially expecting to get caught by WhatsApp. However, the platform never blocked the accounts, never throttled their traffic, never restricted their IP address, and never reached out despite all the abusive activity coming from one device.

The researchers then generated a global set of 63 billion potential mobile numbers and tested all of them against the API. Their queries returned 3.5 billion active WhatsApp accounts.