A high-severity security flaw affecting default installations of Ubuntu Desktop variations 24.04 and later might be exploited to escalate privileges to the foundation stage.
Tracked as CVE-2026-3888 (CVSS rating: 7.8), the difficulty might permit an attacker to grab management of a inclined system.
“This flaw (CVE-2026-3888) permits an unprivileged native attacker to escalate privileges to full root entry by way of the interplay of two customary system parts: snap-confine and systemd-tmpfiles,” the Qualys Risk Analysis Unit (TRU) stated. “Whereas the exploit requires a particular time-based window (10–30 days), the ensuing impression is a whole compromise of the host system.”
The issue, Qualys famous, stems from the unintended interplay of snap-confine, which manages execution environments for snap purposes by making a sandbox, and systemd-tmpfiles, which robotically cleans up momentary recordsdata and directories (e.g.,/tmp, /run, and /var/tmp) older than an outlined threshold.
The vulnerability has been patched within the following variations –
- Ubuntu 24.04 LTS – snapd variations previous to 2.73+ubuntu24.04.1
- Ubuntu 25.10 LTS – snapd variations previous to 2.73+ubuntu25.10.1
- Ubuntu 26.04 LTS (Dev) – snapd variations previous to 2.74.1+ubuntu26.04.1
- Upstream snapd – variations previous to 2.75
The assault requires low privileges and no consumer interplay, though the assault complexity is excessive because of the time-delay mechanism within the exploit chain.
“In default configurations, systemd-tmpfiles is scheduled to take away stale information in /tmp,” Qualys stated. “An attacker can exploit this by manipulating the timing of those cleanup cycles.”
The assault performs out within the following method –
- The attacker should look ahead to the system’s cleanup daemon to delete a crucial listing (/tmp/.snap) required by snap-confine. The default interval is 30 days in Ubuntu 24.04 and 10 days in later variations.
- As soon as deleted, the attacker recreates the listing with malicious payloads.
- Through the subsequent sandbox initialization, snap-confine bind mounts these recordsdata as root, permitting the execution of arbitrary code inside the privileged context.
As well as, Qualys stated it found a race situation flaw within the uutils coreutils package deal that permits an unprivileged native attacker to interchange listing entries with symbolic hyperlinks (aka symlinks) throughout root-owned cron executions.
“Profitable exploitation might result in arbitrary file deletion as root or additional privilege escalation by focusing on snap sandbox directories,” the cybersecurity firm stated. “The vulnerability was reported and mitigated previous to the general public launch of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this danger instantly. Upstream fixes have since been utilized to the uutils repository.”
