Ubuntu 24.04 and Later Exposed to Critical Local Privilege Escalation Vulnerability (CVE-2026-3888)
The Qualys Threat Research Unit has uncovered a significant Local Privilege Escalation (LPE) vulnerability affecting default installations of Ubuntu Desktop version 24.04 and later. Identified as CVE-2026-3888, this flaw permits an unprivileged local attacker to gain full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.
This vulnerability poses a serious threat, as the exploit requires a specific time-based window of 10 to 30 days, leading to a complete compromise of the host system.
Understanding the Vulnerability
The root of this vulnerability lies in the unintended interaction between two privileged utilities:
-
snap-confine: This utility manages execution environments for snap applications, which are self-contained application bundles that include their own dependencies.
-
systemd-tmpfiles: This component automatically cleans up temporary files and directories that exceed a defined age.
During the review process for Ubuntu 25.10, a separate vulnerability in the uutils coreutils package was also identified and mitigated through proactive collaboration with the Ubuntu Security Team.
The Attack Surface for CVE-2026-3888
The background service known as snapd manages the entire Snap ecosystem on Ubuntu, overseeing the discovery, installation, updates, and removal of snap packages. Canonical designed this framework to resolve dependency conflicts and provide a unified packaging target across various Ubuntu versions. Snapd also enforces a permission model that dictates what each snap can access on the host system.
Understanding snapd is crucial, as both snap-confine and systemd-tmpfiles operate within this framework. Snap-confine builds the sandbox defined by snapd, while systemd-tmpfiles manages the volatile filesystem that both snaps and system services rely on.
Snap-confine
Snap-confine is a setuid root binary that establishes the sandbox before a snap application runs. It manages mount namespace isolation, cgroup enforcement, AppArmor policy loading, and seccomp filtering. Because it operates with elevated privileges, it represents a critical trust boundary. A flaw like CVE-2026-3888 in this component could lead to privilege escalation, making consistent patching of snapd a priority.
Systemd-tmpfiles
Systemd-tmpfiles oversees the lifecycle of volatile directories such as /tmp, /run, and /var/tmp. It creates these directories with the appropriate ownership at boot and cleans out stale files on a schedule. Misconfigured tmpfiles rules can create local escalation paths, opening the door to symlink races and local escalation.
Exploitation Mechanism
CVE-2026-3888 is rated as high severity, with a CVSS v3.1 score of 7.8 out of 10. The vector string (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates a local attack vector with high complexity, requiring low privileges and no user interaction. The scope is altered, meaning a successful exploit can impact resources beyond the vulnerable component, affecting confidentiality, integrity, and availability.
The inherent time-delay mechanism in the exploit chain contributes to the high attack complexity. In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp. An attacker can exploit this by manipulating the timing of cleanup cycles. The attack vector involves the following steps:
- The attacker waits for the system’s cleanup daemon (30 days in Ubuntu 24.04; 10 days in later versions) to delete a critical directory (/tmp/.snap) required by snap-confine.
- Once deleted, the attacker recreates the directory with malicious payloads.
- During the next sandbox initialization, snap-confine bind-mounts these files as root, allowing the execution of arbitrary code within a privileged context.
Vulnerable Versions
The following snapd package versions are vulnerable, and organizations are urged to upgrade immediately:
- Ubuntu 24.04 LTS: snapd versions prior to 2.73+ubuntu24.04.1
- Ubuntu 25.10 LTS: snapd versions prior to 2.73+ubuntu25.10.1
- Ubuntu 26.04 LTS (Dev): snapd versions prior to 2.74.1+ubuntu26.04.1
- Upstream snapd: versions prior to 2.75
For legacy systems (16.04–22.04 LTS), while not vulnerable in default configurations, it is advisable to apply the patch to mitigate risks associated with non-default configurations that may mimic newer releases.
Technical Details
For further technical details regarding these vulnerabilities, refer to the advisory available at Qualys.
Secondary Finding: Vulnerability in Ubuntu 25.10 uutils Coreutils
In a proactive security effort prior to the release of Ubuntu Desktop 25.10, the Qualys Threat Research Unit assisted the Ubuntu Security Team in reviewing the uutils coreutils package, a Rust rewrite of standard GNU utilities. A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions. Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.
This vulnerability was reported and mitigated before the public release of Ubuntu 25.10. The default rm command was reverted to GNU coreutils to address this risk immediately, and upstream fixes have since been applied to the uutils repository.
Qualys QID Coverage for Detecting CVE-2026-3888
Qualys is releasing QIDs as they become available. The following table outlines the current coverage:
| QID | Title | VulnSigs Version |
|---|---|---|
| 386810 | Ubuntu Snapd Local Privilege Escalation (LPE) Vulnerability | To be released by 3pm PT |
For a complete list of coverage for this vulnerability, please consult the Qualys Vulnerability Knowledgebase.
Discover Vulnerable Assets with Qualys CyberSecurity Asset Management
Identifying all assets susceptible to this vulnerability is the first crucial step in managing and mitigating associated risks. Organizations can utilize CyberSecurity Asset Management 3.0 with External Attack Surface Management to identify internet-facing instances and container/Kubernetes nodes running vulnerable versions of the snap vulnerability.
For example, to identify all assets running Ubuntu, the following query can be used:
operatingSystem.name: [“Ubuntu”]
Enhancing Security Posture with Qualys VMDR
Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, enabling organizations to respond rapidly and prioritize risks. Customers can also leverage Qualys Patch Management to effectively remediate these vulnerabilities.
Utilizing the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) allows for efficient identification and prioritization of vulnerable assets. The following QQL statement can be employed:
vulnerabilities.vulnerability.qid: 386810
Automatically Patch CVE-2026-3888 with Qualys Patch Management
Patches for this vulnerability are now available. Qualys Patch Management can automatically deploy these patches to vulnerable assets as they become available. Customers can use the “patch now” button to add this vulnerability to a patch job. Once patches are released, Qualys will find the relevant patches and automatically add them to the patch job, facilitating deployment from the Qualys platform.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
