CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ubuntu desktop local privilege escalation via snap-confine and systemd-tmpfiles interaction

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A local privilege escalation (LPE) vulnerability has been disclosed in Ubuntu Desktop 24.04 and later, tracked as CVE-2026-3888, enabling attackers with minimal access to escalate to full root privileges. The flaw results from the interaction between snap-confine and systemd-tmpfiles, where attackers exploit delayed automated cleanup processes (10–30 days) to replace critical directories with malicious payloads. Triggering snap-confine execution of these files achieves root access without requiring user interaction. Impact includes complete system compromise on affected Ubuntu releases using vulnerable snapd versions.

Timeline

  1. 18.03.2026 17:45 1 articles · 2h ago

    CVE-2026-3888 disclosed: Local root compromise possible via snap-confine and systemd-tmpfiles interaction in Ubuntu Desktop

    A local privilege escalation vulnerability (CVE-2026-3888) was disclosed affecting Ubuntu Desktop 24.04 and later. The issue stems from the interaction between snap-confine and systemd-tmpfiles, enabling attackers to replace critical directories during delayed cleanup cycles (10–30 days) and trigger root-level execution via snap-confine. Affected systems include Ubuntu 24.04 LTS, 25.10 LTS, and 26.04 (development), with mitigations available in updated snapd releases. A concurrent remediation of a race condition in uutils coreutils (rm) during Ubuntu 25.10 pre-release review was also addressed.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-3888 affects default installations of Ubuntu Desktop 24.04 and later releases.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources

  • The vulnerability arises from an interaction between snap-confine and systemd-tmpfiles, enabling timing-based replacement of critical directories during cleanup cycles.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources

  • Exploitation requires waiting for temporary file cleanup (10–30 days), then recreating deleted directories with malicious payloads to trigger snap-confine execution with root privileges.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources

  • The flaw has a CVSS score of 7.8 (High) due to low complexity but high required timing specificity; no user interaction is necessary and only low-level access is needed to initiate the attack chain.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources

  • Affected Ubuntu releases include 24.04 LTS, 25.10 LTS, and 26.04 (development), with fixes available in snapd versions 2.73+ubuntu24.04.2, 2.73+ubuntu25.10.1, 2.74.1+ubuntu26.04.1, and upstream snapd 2.75 or later.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources

  • Qualys also identified a separate race condition in the uutils coreutils package (rm utility) during review for Ubuntu 25.10, allowing file manipulation during system tasks; addressed before public release via temporary switch to GNU coreutils and later upstream fixes.

    First reported: 18.03.2026 17:45
    1 source, 1 article
    Show sources