Ubuntu snap flaw lets local users hijack root access
Qualys has disclosed a local privilege escalation flaw in default installations of Ubuntu Desktop 24.04 and later that, under specific timing conditions, can allow an unprivileged user to gain full root access.
Tracked as CVE-2026-3888, the vulnerability stems from an interaction between snap-confine and systemd-tmpfiles on systems where Snap is installed in its standard configuration, as is typical for Ubuntu Desktop.
Qualys rated the flaw high severity, with a CVSS v3.1 score of 7.8 out of 10. The vector describes a local attack requiring low privileges and no user interaction. However, it has high attack complexity and can fully compromise confidentiality, integrity and availability.
Timing window
The exploit depends on a time-based window tied to the operating system's cleanup of temporary files. It requires waiting for the system to remove a specific directory in /tmp that snap-confine relies on during sandbox setup.
On Ubuntu 24.04, the relevant cleanup threshold is 30 days; in later versions cited by Qualys, the window can be 10 days. After the directory is deleted, an attacker can recreate it with malicious content and then wait for snap-confine to initialise the next Snap sandbox.
During sandbox initialisation, snap-confine can then bind-mount attacker-controlled files as root. This enables arbitrary code execution in a privileged context and a route to full root access.
Components involved
snapd is the background service that manages Snap packages on Ubuntu. It handles installation and updates and enforces the snaps permission model. Two components in that ecosystem are central to CVE-2026-3888.
snap-confine is a set-user-ID-root binary that prepares the sandbox before a snap application runs. Because it operates with elevated privileges, it sits at a trust boundary between a regular user and privileged operations.
systemd-tmpfiles manages volatile directories such as /tmp, /run and /var/tmp, creating and removing files and directories based on configuration rules and age thresholds. Qualys attributed the vulnerability to an unintended interaction between these two privileged utilities.
Affected releases
Qualys listed vulnerable versions of the snapd package across several Ubuntu releases and upstream snapd. On Ubuntu 24.04 LTS, versions prior to 2.73+ubuntu24.04.1 are affected. On Ubuntu 25.10 LTS, versions prior to 2.73+ubuntu25.10.1 are affected. On Ubuntu 26.04 LTS (Dev), versions prior to 2.74.1+ubuntu26.04.1 are affected. Upstream snapd versions prior to 2.75 are also affected.
According to Qualys, older Ubuntu LTS releases from 16.04 through 22.04 are not vulnerable in default configurations. It still recommended applying the patch on those systems as a precaution in cases where non-default setups might resemble the behaviour of newer releases.
Qualys advised organisations running Ubuntu Desktop 24.04 or later to apply the available patches immediately.
Secondary issue
Qualys also described a separate vulnerability found during review work ahead of Ubuntu Desktop 25.10. It involved uutils coreutils, a Rust rewrite of standard GNU utilities that had been under evaluation for that release.
The firm reported a race condition in the rm utility that could allow an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions, specifically /etc/cron.daily/apport. The impact included arbitrary file deletion as root and potential further escalation paths if snap sandbox directories were targeted.
Qualys said the issue was mitigated before the public release of Ubuntu 25.10. As an immediate measure, Ubuntu 25.10 reverted its default rm command to GNU coreutils, and upstream fixes were later applied to the uutils repository.
"While the exploit requires a specific time-based window (10-30 days), the resulting impact is a complete compromise of the host system," said the Qualys Threat Research Unit.