A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level.
Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system.
“This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles,” the Qualys Threat Research Unit (TRU) said. “While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system.”
The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older than a defined threshold.
The vulnerability has been patched in the following versions –
- Ubuntu 24.04 LTS – snapd versions prior to 2.73+ubuntu24.04.1
- Ubuntu 25.10 LTS – snapd versions prior to 2.73+ubuntu25.10.1
- Ubuntu 26.04 LTS (Dev) – snapd versions prior to 2.74.1+ubuntu26.04.1
- Upstream snapd – versions prior to 2.75
The attack requires low privileges and no user interaction, although the attack complexity is high due to the time-delay mechanism in the exploit chain.
“In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp,” Qualys said. “An attacker can exploit this by manipulating the timing of these cleanup cycles.”
The attack plays out in the following manner –
- The attacker must wait for the system’s cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions.
- Once deleted, the attacker recreates the directory with malicious payloads.
- During the next sandbox initialization, snap-confine bind mounts these files as root, allowing the execution of arbitrary code within the privileged context.
In addition, Qualys said it discovered a race condition flaw in the uutils coreutils package that allows an unprivileged local attacker to replace directory entries with symbolic links (aka symlinks) during root-owned cron executions.
“Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories,” the cybersecurity company said. “The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.”
