Tracked as CVE-2026-3888, uncovered by The Qualys Threat Research Unit, the flaw exploits an unintended interaction between two standard system components, snap-confine and systemd-tmpfiles, making it particularly dangerous given how deeply both are embedded in default Ubuntu deployments.
Snapd is Ubuntu’s background service that manages snap packages, self-contained application bundles with their own dependencies.
Beyond package management, snapd enforces the permission model governing what each snap can access on the host, making it both a package manager and a security policy engine.
Two components within this framework sit at the core of CVE-2026-3888:
/tmp, /run, and /var/tmp, creating them at boot and purging stale files on a timer. Misconfigured or predictable cleanup cycles in this utility can open symlink race windows and local escalation paths.CVE-2026-3888 carries a CVSS v3.1 score of 7.8 (High), with the vector string AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. The attack requires local access and low privileges, demands no user interaction, and produces a changed scope, meaning a successful exploit impacts resources outside the vulnerable component, with high impact across confidentiality, integrity, and availability.
The High Attack Complexity reflects a time-delay mechanism inherent to the exploit chain. By default, systemd-tmpfiles is scheduled to delete stale data from /tmp — after 30 days on Ubuntu 24.04 and 10 days on later versions. The attack unfolds in three stages:
/tmp/.snap, a critical directory used by snap-confine during sandbox initialization./tmp/.snap and populates it with malicious payloads.Organizations should upgrade snapd to the following patched releases immediately:
| Ubuntu Version | Vulnerable snapd | Patched Version |
|---|---|---|
| Ubuntu 24.04 LTS | Prior to 2.73+ubuntu24.04.1 | 2.73+ubuntu24.04.1 |
| Ubuntu 25.10 | Prior to 2.73+ubuntu25.10.1 | 2.73+ubuntu25.10.1 |
| Ubuntu 26.04 LTS (Dev) | Prior to 2.74.1+ubuntu26.04.1 | 2.74.1+ubuntu26.04.1 |
| Upstream snapd | Prior to 2.75 | 2.75 |
Legacy systems running Ubuntu 16.04–22.04 LTS are not vulnerable in default configurations, but Qualys recommends applying the patch as a precaution for non-default setups that may mirror newer release behavior.
During a proactive security review prior to the Ubuntu 25.10 release, Qualys TRU identified a race condition in the uutils coreutils package — a Rust rewrite of standard GNU utilities.
The flaw resided in the rm utility, allowing an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions, specifically targeting /etc/cron.daily/apport. Exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.
The Ubuntu Security Team mitigated the risk before public release by reverting the default rm command in Ubuntu 25.10 to GNU coreutils. Upstream fixes have since been applied to the uutils repository.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Ubuntu Desktop Systems Vulnerability Enables Attackers to Gain Full Root Access appeared first on Cyber Security News.
Tomb Raider 1-3 Remastered publisher Aspyr has denied using AI-generated assets, insisting the contentious outfits…
It's that time of year again, when the warmer weather starts rolling in and spring…
An interview with Anya Taylor-Joy has gone viral, after the Super Mario Galaxy Movie actress…
Editor’s note: If you know of an event that you want to be included in…
ABILENE, Texas (KTAB/KRBC) – The number of families the housing choice voucher program is able…
ABILENE, Texas (KTAB/KRBC) - It would take more than $8 million to equip the Abilene…
This website uses cookies.