Weaknesses in Ubuntu Desktop Systems A Local Privilege Escalation (LPE) flaw in default installations of Ubuntu Desktop 24.04 and later lets an attacker with no privileges gain full root access This article explores privileges targeting snap. . The Qualys Threat Research Unit found a flaw that is tracked as CVE-2026-3888.
It takes advantage of an unintended interaction between two standard system components, snap-confine and systemd-tmpfiles. This makes it especially dangerous because both of these components are deeply embedded in default Ubuntu installations. Snapd is the service that runs in the background on Ubuntu and manages snap packages, which are bundles of applications that come with their own dependencies. Snapd is both a package manager and a security policy engine.
It manages packages and enforces the permission model that controls what each snap can access on the host.
Two parts of this framework are at the heart of CVE-2026-3888: snap-confine is the setuid root binary that makes snap sandboxes before an application runs. It takes care of mount namespace isolation, cgroup enforcement, loading AppArmor policies, and seccomp filtering. This is the full confinement stack that keeps snap apps within their limits.
systemd-tmpfiles takes care of temporary folders like /tmp, /run, and /var/tmp. It makes them when the computer starts up and deletes old files on a schedule. This utility can create symlink race windows and local escalation paths if the cleanup cycles are set up wrong or are too easy to guess. The CVSS v3.1 score for Ubuntu Desktop Systems Vulnerability Exploitation CVE-2026-3888 is 7.8 (High), and the vector string is AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.
The attack needs local access and low privileges, doesn't require any user interaction, and changes the scope, which means that a successful exploit affects resources outside of the vulnerable component and has a big effect on confidentiality, integrity, and availability. The High Attack Complexity is a result of a time-delay mechanism built into the exploit chain. On Ubuntu 24.04, systemd-tmpfiles is set to delete old data from /tmp after 30 days.
On later versions, this happens after 10 days. The attack happens in three parts: The attacker waits for the cleanup daemon to delete /tmp/.snap, which is a very important folder that snap-confine uses to set up the sandbox. After deleting it, the attacker makes /tmp/.snap again and fills it with bad code.
When the next sandbox is set up, snap-confine bind-mounts those files as root, which lets any code run in a privileged context and gives full access to the host. Companies should immediately upgrade snapd to the following patched versions: Ubuntu 24.04 LTS is the patched version of Ubuntu that is vulnerable. Before 2.73+ubuntu24.04.1 and 2.73+ubuntu24.04.1 Ubuntu 25.10 Before 2.73+ubuntu25.10.1 2.73+ubuntu25.10.1 Ubuntu 26.04 Before 2.74.1+ubuntu26.04.1, LTS (Dev) was 2.74.1+ubuntu26.04.1.
Before version 2.75 of upstream snapd, Ubuntu 16.04–22.04 LTS systems were not vulnerable in their default settings. However, Qualys recommends applying the patch as a precaution for non-default setups that may behave like newer releases.
Qualys TRU found a race condition in the uutils coreutils package, which is a Rust rewrite of standard GNU utilities, during a proactive security review before the release of Ubuntu 25.10. The problem was with the rm command, which let a local attacker without privileges replace directory entries with symlinks during root-owned cron jobs, specifically targeting /etc/cron.daily/apport. If someone takes advantage of this, they could delete any file as root or gain more privileges by targeting snap sandbox directories.
Before the public release, the Ubuntu Security Team reduced the risk by changing the default rm command in Ubuntu 25.10 back to GNU coreutils. The uutils repository has since received fixes from upstream. For daily cybersecurity updates, follow LinkedIn and X. Get in touch with us to have your stories featured.
