A high severity vulnerability in default Ubuntu Desktop installations of 24.04 and later can be exploited by an unprivileged local user to gain root access. The issue is tracked as CVE-2026-3888 with a CVSS score of 7.8.
KEY FACTS
- Incident Local privilege escalation to root
- Affected releases Ubuntu Desktop 24.04 and later
- Identifier CVE-2026-3888, CVSS 7.8
- Patches Updated snapd versions listed in the advisory
In a technical analysis, the Qualys Threat Research Unit reported that the flaw arises from the interaction of snap-confine and systemd-tmpfiles. The exploit requires a timed window of roughly 10 to 30 days but can lead to full host compromise when successful.
Ubuntu’s security advisory lists patched snapd versions for affected releases. The fixes cover Ubuntu 24.04, Ubuntu 25.10, the 26.04 development line and upstream snapd releases.
The exploitation chain requires the system cleanup daemon to remove a critical directory used by snap-confine, typically /tmp/.snap. An attacker can recreate that directory with malicious files and during the next sandbox initialization snap-confine bind mounts those files as root allowing arbitrary code execution in the privileged context according to the report.
The report also describes a separate race condition in the uutils coreutils package that permits an unprivileged attacker to swap directory entries with symlinks during root cron jobs. Successful exploitation could enable arbitrary root file deletion or further privilege escalation. The disclosure says mitigation steps were applied including reverting the default rm to GNU coreutils in one release and upstream fixes to uutils.
WHY IT MATTERS
The flaw enables local, low privilege accounts to gain full system control after a delay period making unattended desktop systems and multiuser hosts at risk until updates are installed. System administrators should apply the listed snapd updates and verify temporary directory settings.