Tails 7.6.2 patches vulnerability that could expose saved files

The Tails Project released Tails v7.6.2, an emergency release of the popular open source secure portable operating system.

What is Tails?

Tails, which is based on Debian GNU/Linux, is aimed at users who want to preserve their online privacy and anonymity.

The OS is installed on a dedicated USB stick and when plugged into a computer, it allows users to read and edit documents and images, watch videos, brows the web via the Tor internet anonymity network / Tor Browser, and more.

Tails operates entirely within the computer’s RAM, leaving no trace on the hard drive or any other storage. Once the USB stick is unplugged, Tails also scrubs the majority of used RAM.

The vulnerability

Tails users can save files, applications and settings to an encrypted “Persistent Storage” partition on their Tails drive.

But a recently fixed sandbox escape vulnerability (CVE-2026-34078) in Flatpak, a Linux application sandboxing and distribution framework that’s used by Tails’ Tor Browser, may allow an attacker to break the security confinement of the browser and access all files that don’t require an administration password, including in the Persistent Storage.

“This vulnerability can only be exploited by a powerful attacker who has already exploited another vulnerability to take control of Tor Browser,” the Tails Project explained.

CVE-2026-34078 and three other vulnerabilities have been patched in Flatpak v1.16.4 a week ago.

While CVE-2026-34078 is not a critical-severity vulnerability, users are still advised to upgrade to Tails v7.6.2 as soon as possible.