Ubuntu privilege escalation via snap-confine and systemd-tmpfiles timing attack
Summary
Hide ▲
Show ▼
A high-severity vulnerability in default Ubuntu installations (versions 24.04 and later) enables local attackers to escalate privileges to root by exploiting a timing-based interaction between snap-confine and systemd-tmpfiles. Exploitation requires low privileges and no user interaction, but depends on a specific cleanup window (10–30 days) where systemd-tmpfiles removes the /tmp/.snap directory. Attackers can then recreate the directory with malicious payloads that snap-confine bind mounts during sandbox initialization, executing arbitrary code with root privileges.
Timeline
-
18.03.2026 10:08 1 articles · 4h ago
Ubuntu snap-confine privilege escalation via systemd-tmpfiles timing attack disclosed (CVE-2026-3888)
A high-severity privilege escalation vulnerability (CVE-2026-3888, CVSS 7.8) in Ubuntu Desktop versions 24.04 and later enables local attackers to gain root access by exploiting the interaction between snap-confine and systemd-tmpfiles. Exploitation requires no user interaction and low privileges but depends on a constrained cleanup window (10–30 days) where systemd-tmpfiles deletes /tmp/.snap. Attackers recreate the directory with malicious payloads, which snap-confine then bind mounts during sandbox initialization, executing arbitrary code with root privileges. Patched snapd versions address the issue across Ubuntu 24.04, 25.10, and 26.04 (Dev), alongside upstream snapd fixes.
Show sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08
Information Snippets
-
Affected Ubuntu versions include 24.04 LTS, 25.10 LTS, and 26.04 LTS (Dev), where snap-confine versions prior to 2.73+ubuntu24.04.1, 2.73+ubuntu25.10.1, 2.74.1+ubuntu26.04.1, and upstream snapd versions prior to 2.75 are vulnerable.
First reported: 18.03.2026 10:081 source, 1 articleShow sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08
-
The vulnerability (CVE-2026-3888, CVSS 7.8) arises from the interplay between snap-confine’s sandbox management and systemd-tmpfiles’ automated cleanup of temporary directories (/tmp, /run, /var/tmp).
First reported: 18.03.2026 10:081 source, 1 articleShow sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08
-
Exploitation hinges on the attacker manipulating the timing of systemd-tmpfiles cleanup cycles to delete /tmp/.snap, then recreating it with malicious payloads. snap-confine subsequently bind mounts these files as root during sandbox initialization, enabling arbitrary code execution.
First reported: 18.03.2026 10:081 source, 1 articleShow sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08
-
The default cleanup period for /tmp/.snap is 30 days in Ubuntu 24.04 and 10 days in later versions, providing a constrained but exploitable time window.
First reported: 18.03.2026 10:081 source, 1 articleShow sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08
-
A separate race condition flaw in the uutils coreutils package (reported and mitigated prior to Ubuntu 25.10) allowed unprivileged local attackers to replace directory entries with symbolic links during root-owned cron executions, enabling arbitrary file deletion as root or further privilege escalation.
First reported: 18.03.2026 10:081 source, 1 articleShow sources
- Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit — thehackernews.com — 18.03.2026 10:08