A critical security vulnerability has been identified in Ubuntu Desktop versions 24.04 and later, potentially allowing local attackers to escalate their privileges to root access. This flaw, designated as CVE-2026-3888 with a CVSS score of 7.8, arises from the unintended interaction between two standard system components: snap-confine and systemd-tmpfiles.
Understanding the Vulnerability
Snap-confine is responsible for managing execution environments for snap applications by creating isolated sandboxes. Systemd-tmpfiles, on the other hand, is tasked with the automatic cleanup of temporary files and directories, such as those found in /tmp, /run, and /var/tmp, that exceed a specified age threshold.
The vulnerability exploits the timing of systemd-tmpfiles’ cleanup operations. By manipulating the deletion and recreation of specific directories, an attacker can execute arbitrary code with root privileges.
Exploitation Process
The exploitation of CVE-2026-3888 involves a time-based attack sequence:
1. Waiting for Cleanup: The attacker monitors the system until systemd-tmpfiles deletes the /tmp/.snap directory, which is crucial for snap-confine’s operation. The default cleanup period is 30 days in Ubuntu 24.04 and 10 days in subsequent versions.
2. Recreating the Directory: After the directory’s deletion, the attacker promptly recreates /tmp/.snap and populates it with malicious payloads.
3. Triggering the Exploit: When snap-confine initializes a new sandbox, it bind mounts the contents of /tmp/.snap as root, inadvertently executing the attacker’s code with elevated privileges.
This method requires minimal privileges and no user interaction, though it demands precise timing due to the reliance on systemd-tmpfiles’ cleanup schedule.
Affected Versions and Patches
The vulnerability affects the following Ubuntu versions:
– Ubuntu 24.04 LTS: snapd versions prior to 2.73+ubuntu24.04.1
– Ubuntu 25.10 LTS: snapd versions prior to 2.73+ubuntu25.10.1
– Ubuntu 26.04 LTS (Development): snapd versions prior to 2.74.1+ubuntu26.04.1
– Upstream snapd: versions prior to 2.75
Canonical has released patches to address this issue. Users are strongly advised to update their systems to the latest snapd versions to mitigate the risk.
Additional Vulnerability in uutils coreutils
In a related discovery, a race condition vulnerability was found in the uutils coreutils package. This flaw allows an unprivileged local attacker to replace directory entries with symbolic links during root-owned cron executions. Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.
This vulnerability was reported and mitigated before the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to immediately mitigate this risk. Upstream fixes have since been applied to the uutils repository.
Recommendations for Users
To protect systems from potential exploitation:
– Update snapd: Ensure that snapd is updated to the latest version available for your Ubuntu release.
– Monitor System Logs: Regularly check system logs for unusual activities, especially related to the creation and deletion of directories within /tmp.
– Limit Unprivileged Access: Restrict the ability of unprivileged users to create or modify critical directories and files.
– Review Cleanup Policies: Evaluate and adjust the configuration of systemd-tmpfiles to ensure that cleanup operations do not inadvertently expose the system to such timing attacks.
Conclusion
The discovery of CVE-2026-3888 underscores the importance of vigilance in system maintenance and the need for timely updates. By understanding the mechanisms of such vulnerabilities and implementing recommended security practices, users can significantly reduce the risk of unauthorized privilege escalation on their systems.
