Ubuntu desktop systems vulnerability enables attackers to gain full root access
6 min. read 
Published on
A newly disclosed Ubuntu privilege escalation flaw can let a local attacker jump from low privileges to full root access on affected desktop systems. Qualys says the bug, tracked as CVE-2026-3888, affects default installations of Ubuntu Desktop 24.04 LTS and Ubuntu 25.10 through an interaction between snap-confine and systemd-tmpfiles. Canonical has confirmed the issue and marked it fixed.
The vulnerability matters because it hits components that are deeply embedded in Ubuntu’s snap environment. Qualys said an attacker can wait for systemd-tmpfiles to delete snap’s private /tmp directory, recreate it, and then abuse snap-confine during the next sandbox initialization to gain root privileges. Canonical’s CVE entry describes the flaw in similar terms, saying a local attacker could re-create the deleted directory and escalate privileges when automatic cleanup is enabled.
Canonical says the issue impacts default installations of Ubuntu 24.04 LTS and Ubuntu 25.10, but it also shipped the same hardening to Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, and 22.04 LTS because certain non-default configurations could still be exposed. Upstream hardening is also being applied to snapd 2.75.1.
What CVE-2026-3888 does
Qualys said the flaw stems from the interaction of two otherwise legitimate system components. One is snap-confine, the privileged helper that prepares snap sandboxes before an app starts. The other is systemd-tmpfiles, which creates and cleans temporary directories under locations such as /tmp.
According to Qualys, the exploit requires a time-based window because Ubuntu’s cleanup process removes stale temporary data only after a delay. Qualys said that delay is 30 days on Ubuntu 24.04 and 10 days on later versions, which makes the attack less immediate but still severe because successful exploitation leads to complete host compromise.
Canonical’s CVE page classifies the flaw as high priority and says it allows local attackers to get root privilege by re-creating snap’s private /tmp directory when automatic cleanup is enabled.
How the exploit chain works
Qualys described the attack as a three-step sequence built around timing and directory recreation. First, the attacker waits for systemd-tmpfiles to remove /tmp/.snap. Then the attacker recreates that directory with malicious content. Finally, when snap-confine initializes a sandbox again, it handles that attacker-controlled location in a privileged context, which opens the door to root-level execution.
This is why the bug stands out. The attacker does not need remote code execution or a kernel exploit. The weakness sits in the way two standard components interact over time, which makes the issue easy to miss in ordinary threat models focused only on immediate trigger conditions.
Affected releases and patched versions
Canonical’s Ubuntu Community Hub post lists these fixed versions for the supported Ubuntu releases it patched:
| Ubuntu release | Fixed snapd version |
|---|---|
| 16.04 LTS | 2.61.4ubuntu0.16.04.1+esm2 |
| 18.04 LTS | 2.61.4ubuntu0.18.04.1+esm2 |
| 20.04 LTS | 2.67.1+20.04ubuntu1~esm1 |
| 22.04 LTS | 2.73+ubuntu22.04.1 |
| 24.04 LTS | 2.73+ubuntu24.04.2 |
| 25.10 | 2.73+ubuntu25.10.1 |
Canonical also said the hardening will be applied to upstream snapd 2.75.1.
One important detail is that Canonical’s community advisory lists Ubuntu 24.04 LTS fixed at 2.73+ubuntu24.04.2, while some package listings and secondary mirrors surfaced 2.73+ubuntu24.04.1 during rollout. The Canonical advisory is the safer source of truth here because it reflects the vendor’s coordinated fix guidance.
Why older Ubuntu versions still received fixes
Qualys framed the issue mainly around default Ubuntu Desktop 24.04 and later. Canonical, however, went further and patched older supported releases too. The company said 16.04 through 22.04 are not affected in default setups, but non-default configurations could be vulnerable, which is why the same hardening was applied there as a precaution.
That broader patching choice matters for administrators. It means teams should not assume they are safe just because they run an older LTS release, especially if they have customized snap or temporary-file behavior.
Qualys also flagged a second Ubuntu issue
During its review work before Ubuntu 25.10, Qualys said it found a separate race condition in the uutils coreutils package, specifically in the Rust-based rm utility. Qualys said that flaw could let a low-privilege attacker replace directory entries with symlinks during root-owned cron activity, including /etc/cron.daily/apport, which could lead to arbitrary file deletion as root or help with further escalation.
Qualys said Ubuntu mitigated that risk before public release by switching the default rm command in Ubuntu 25.10 back to GNU coreutils, and upstream fixes were later applied in the uutils project.
What admins should do now
The main priority is simple. Update snapd immediately on affected systems. Canonical recommends either upgrading all packages or targeting snapd directly with APT. The company also notes that unattended upgrades are enabled by default on supported Ubuntu releases, so many systems will receive the patch automatically within 24 hours if that service is active.
A practical response should include:
- Check the installed version with
dpkg -l snapdand compare it to Canonical’s fixed versions. - Run
sudo apt update && sudo apt upgrade, orsudo apt update && sudo apt install --only-upgrade snapd. - Reboot after the update so the patched components and related runtime state are fully refreshed. Canonical’s security notice says a standard system update should be followed by a reboot.
- Review any non-default snap or tmpfiles configuration on older Ubuntu releases, since Canonical says those setups may still have been exposed before patching.
Bottom line
CVE-2026-3888 is a local bug, but it is still serious because it can hand full root access to a low-privilege user on affected Ubuntu desktop systems. The exploit path is not immediate and depends on a cleanup window, yet both Qualys and Canonical treat the flaw as important enough to patch quickly across multiple supported Ubuntu releases.
For Ubuntu users and administrators, the takeaway is straightforward. Patch snapd, reboot the machine, and do not assume older releases are irrelevant just because the default exposure is concentrated in 24.04 and later. Canonical already pushed the hardening wider for a reason.
FAQ
It is a local privilege escalation flaw in snapd on Ubuntu that can let a low-privilege attacker gain root by abusing how snap’s private /tmp directory is handled when systemd-tmpfiles cleans it up.
Canonical says default installations of Ubuntu 24.04 LTS and Ubuntu 25.10 are affected. Older supported releases also received hardening for certain non-default configurations.
Qualys and Canonical both treat it as a high-severity local privilege escalation issue because successful exploitation can lead to full root access.
Update snapd to the fixed version for your Ubuntu release. Canonical lists the patched versions in its advisory, and upstream hardening is going into snapd 2.75.1.
Yes. Canonical shipped fixes there too because non-default setups may be vulnerable, even though the default impact is centered on 24.04 LTS and 25.10.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages