Ubuntu snapd: Local Privilege Escalation, CVE-2026-3888 (High) -DC-Jun2026-239

By /

Listen to this Post

A local privilege escalation (LPE) vulnerability exists in snapd on Ubuntu Linux. The flaw (CVE-2026-3888) arises from an unintended interaction between `snap-confine` (a setuid-root binary) and systemd-tmpfiles, which automatically cleans up stale temporary directories. By default, `systemd-tmpfiles` removes `/tmp/.snap` after 30 days on Ubuntu 24.04 or 10 days on earlier releases. After this cleanup, an unprivileged local attacker can recreate `/tmp/.snap` and populate it with malicious payloads. When the next snap application is launched, `snap-confine` blindly bind‑mounts the re‑created directory into the snap’s isolation environment—executing the attacker’s code as root. Because the attacker controls the content of the bind‑mounted directory, full system compromise is achieved. The attack requires local access and a high attack complexity, but no user interaction is needed.

DailyCVE Form:

Platform: Ubuntu Linux
Version: 16.04-24.04 LTS
Vulnerability: Privilege escalation via /tmp/.snap
Severity: High (CVSS 7.8)
Date: 2026-03-17
Prediction: 2026-03-24

What Undercode Say: Analytics

Check snapd version (vulnerable if < fixed versions)
snap version | grep snapd
Simulate systemd-tmpfiles cleanup (do not run on production!)
sudo rm -rf /tmp/.snap
Verify directory removal
ls -ld /tmp/.snap

Proof‑of‑concept automation (based on real exploit scripts):

git clone https://github.com/fevar54/CVE-2026-3888-POC-all-from-the-Qualys-platform.
cd CVE-2026-3888-POC-all-from-the-Qualys-platform.
make
./exploit

Exploit

  1. Wait for `systemd-tmpfiles` to delete `/tmp/.snap` (or delete it manually).
  2. Recreate `/tmp/.snap` with a malicious payload (e.g., a crafted binary or shared library).
  3. Trigger a snap application launch. `snap-confine` bind‑mounts the attacker‑controlled directory into the snap’s namespace.
  4. The malicious code executes with root privileges, granting full system control.

Protection

  • Patch immediately: Update snapd to the fixed versions:
  • Ubuntu 16.04: `2.61.4ubuntu0.16.04.1+esm2`
    – Ubuntu 18.04: `2.61.4ubuntu0.18.04.1+esm2`
    – Ubuntu 20.04: `2.67.1+20.04ubuntu1~esm1`
    – Ubuntu 22.04: `2.73+ubuntu22.04.1`
    – Ubuntu 24.04: `2.73+ubuntu24.04.1`
    – System‑level mitigations: Restrict local access to untrusted users; monitor for suspicious recreation of /tmp/.snap; consider disabling automatic cleanup of `/tmp/.snap` via custom `systemd-tmpfiles` configuration if patching is impossible.

Impact

Successful exploitation gives any local, unprivileged attacker full root access, leading to complete compromise of confidentiality, integrity, and availability of the system. The vulnerability affects default Ubuntu Desktop installations and has a CVSS base score of 7.8 (High).

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top