A Local Privilege Escalation (LPE) vulnerability in default installations of Ubuntu Desktop 24.04 and later allows an unprivileged local attacker to gain full root access.
Tracked as CVE-2026-3888, uncovered by The Qualys Threat Research Unit, the flaw exploits an unintended interaction between two standard system components, snap-confine and systemd-tmpfiles, making it particularly dangerous given how deeply both are embedded in default Ubuntu deployments.
Snapd is Ubuntu’s background service that manages snap packages, self-contained application bundles with their own dependencies.
Beyond package management, snapd enforces the permission model governing what each snap can access on the host, making it both a package manager and a security policy engine.
Two components within this framework sit at the core of CVE-2026-3888:
- snap-confine is the setuid root binary responsible for building snap sandboxes before an application executes. It handles mount namespace isolation, cgroup enforcement, AppArmor policy loading, and seccomp filtering — the complete confinement stack that keeps snap applications within their boundaries.
- systemd-tmpfiles manages volatile directories such as
/tmp,/run, and/var/tmp, creating them at boot and purging stale files on a timer. Misconfigured or predictable cleanup cycles in this utility can open symlink race windows and local escalation paths.
Ubuntu Desktop Systems Vulnerability Exploitation
CVE-2026-3888 carries a CVSS v3.1 score of 7.8 (High), with the vector string AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. The attack requires local access and low privileges, demands no user interaction, and produces a changed scope, meaning a successful exploit impacts resources outside the vulnerable component, with high impact across confidentiality, integrity, and availability.
The High Attack Complexity reflects a time-delay mechanism inherent to the exploit chain. By default, systemd-tmpfiles is scheduled to delete stale data from /tmp — after 30 days on Ubuntu 24.04 and 10 days on later versions. The attack unfolds in three stages:
- The attacker waits for the cleanup daemon to delete
/tmp/.snap, a critical directory used by snap-confine during sandbox initialization. - Once deleted, the attacker recreates
/tmp/.snapand populates it with malicious payloads. - On the next sandbox initialization, snap-confine bind-mounts those files as root, enabling arbitrary code execution within a privileged context and delivering full host compromise.
Organizations should upgrade snapd to the following patched releases immediately:
| Ubuntu Version | Vulnerable snapd | Patched Version |
|---|---|---|
| Ubuntu 24.04 LTS | Prior to 2.73+ubuntu24.04.1 | 2.73+ubuntu24.04.1 |
| Ubuntu 25.10 | Prior to 2.73+ubuntu25.10.1 | 2.73+ubuntu25.10.1 |
| Ubuntu 26.04 LTS (Dev) | Prior to 2.74.1+ubuntu26.04.1 | 2.74.1+ubuntu26.04.1 |
| Upstream snapd | Prior to 2.75 | 2.75 |
Legacy systems running Ubuntu 16.04–22.04 LTS are not vulnerable in default configurations, but Qualys recommends applying the patch as a precaution for non-default setups that may mirror newer release behavior.
During a proactive security review prior to the Ubuntu 25.10 release, Qualys TRU identified a race condition in the uutils coreutils package — a Rust rewrite of standard GNU utilities.
The flaw resided in the rm utility, allowing an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions, specifically targeting /etc/cron.daily/apport. Exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.
The Ubuntu Security Team mitigated the risk before public release by reverting the default rm command in Ubuntu 25.10 to GNU coreutils. Upstream fixes have since been applied to the uutils repository.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
