Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit

A serious security flaw in default installations of Ubuntu Desktop versions 24.04 and later could be used to gain root-level access This article explores systemd tmpfiles exploit. . The problem, which has a CVSS score of 7.8, could let an attacker take over a system that is vulnerable.

The Qualys Threat Research Unit (TRU) said, "This flaw (CVE-2026-3888) lets an unprivileged local attacker gain full root access by using two standard system components: snap-confine and systemd-tmpfiles."

"The exploit needs a specific time-based window (10–30 days), but the end result is that the host system is completely compromised." Qualys said that the problem comes from the unplanned interaction between snap-confine, which makes a sandbox to manage execution environments for snap applications, and systemd-tmpfiles, which automatically deletes temporary files and directories (like /tmp, /run, and /var/tmp) that are older than a certain age.

The following versions have fixed the security hole: Ubuntu 24.04 LTS - snapd versions before 2.73+ubuntu24.04.1; Ubuntu 25.10 LTS - snapd versions before 2.73+ubuntu25.10.1; Ubuntu 26.04 LTS (Dev) - snapd versions before 2.74.1+ubuntu26.04.1 Versions of snapd before 2.75 The attack doesn't need a lot of permissions or user input, but it's hard to do because of the time-delay mechanism in the exploit chain. Qualys said, "By default, systemd-tmpfiles is set to delete old files in /tmp." "An attacker can take advantage of this by changing the timing of these cleanup cycles."

The attack goes like this: The attacker has to wait for the system's cleanup daemon to delete a folder that snap-confine needs to work (/tmp/.snap).

In Ubuntu 24.04, the default time is 30 days. In later versions, it's 10 days. After deleting the directory, the attacker makes a new one with harmful files.

Snap-confine bind mounts these files as root during the next sandbox initialization. This lets any code run in the privileged context. Qualys also said it found a race condition bug in the uutils coreutils package that lets an unprivileged local attacker replace directory entries with symbolic links (also known as symlinks) while cron jobs run as root. The cybersecurity company said, "Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories."

"Before Ubuntu 25.10 was made public, the vulnerability was found and fixed."

To reduce this risk right away, the default rm command in Ubuntu 25.10 was changed back to GNU coreutils. The uutils repository has since received upstream fixes.