Back to News
News

Ubuntu CVE-2026-3888 Lets Local Users Gain Root via systemd Timing

CyberSecurityWaala 1 week ago Mar 18, 2026
Ubuntu CVE-2026-3888 Lets Local Users Gain Root via systemd Timing

A newly disclosed high severity flaw affects default installs of Ubuntu Desktop 24.04 and later. Qualys Threat Research Unit found the bug and published technical details. The issue is tracked as CVE-2026-3888 and carries a CVSS score of 7.8. Qualys warned the flaw can let an unprivileged local attacker gain full root access.

Qualys explained the problem in plain terms. “This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles,” the Qualys Threat Research Unit said. “While the exploit requires a specific time based window (10 to 30 days), the resulting impact is a complete compromise of the host system.”

How the bug works

The issue arises from how two pieces of software interact. Snap confined apps use snap-confine to create and manage sandboxes. Systemd runs timed cleanup jobs with systemd-tmpfiles to remove old temporary files. In some default Ubuntu setups these two behaviors collide.

Qualys described the attack chain. First, systemd-tmpfiles can remove a directory used by snap-confine. The default cleanup window is 30 days on Ubuntu 24.04 and 10 days on later versions. An attacker waits for that directory to be removed. Then the attacker recreates the directory and plants malicious files. On the next sandbox startup, snap-confine bind mounts those files as root. The attacker can then run code in a privileged context.

Here are the key steps as Qualys laid them out:

  • The attacker waits for the system cleanup daemon to delete the critical directory that snap-confine expects.
  • After deletion, the attacker recreates the directory and drops a malicious payload.
  • When snap-confine initializes the next sandbox, it bind mounts the attacker files with root privileges, enabling code execution as root.

The timing requirement makes the exploit complex. It does not need network access. It only needs a local, unprivileged user. Qualys stressed the impact is severe even if exploitation is not trivial.

Related race condition in coreutils

Qualys also reported a separate but related race condition in the uutils coreutils project. The flaw allows an unprivileged local user to replace directory entries with symbolic links during root owned cron jobs. Qualys said this could enable deletion of arbitrary files as root or further privilege escalation by targeting snap sandbox directories.

“Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories,” the cybersecurity company said. To lower the immediate risk Ubuntu 25.10 rolled back to the GNU coreutils rm as a stopgap while fixes were applied upstream to the uutils repository.

Who patched what

Qualys listed the patched releases and snapd versions. The fixes are available for Ubuntu Desktop users and in upstream snapd releases. According to Qualys, the vulnerability is patched in the following builds:

  • Ubuntu 24.04 LTS: snapd versions prior to 2.73+ubuntu24.04.1 were vulnerable.
  • Ubuntu 25.10: snapd versions prior to 2.73+ubuntu25.10.1 were vulnerable.
  • Ubuntu 26.04 LTS development: snapd versions prior to 2.74.1+ubuntu26.04.1 were vulnerable.
  • Upstream snapd: versions prior to 2.75 were vulnerable.

Qualys said upstream fixes are in place for uutils and snapd. Ubuntu made an immediate mitigation in the 25.10 channel by reverting the default rm to GNU coreutils. System administrators should apply available updates as soon as possible.

What users should do now

First, check for and install snapd and system updates from your Ubuntu channels. Second, treat untrusted local accounts with caution on any affected machine. Third, review cron jobs and any scripts that run with root privileges. Qualys recommended these steps and provided technical proofs to help defenders verify whether a host was targeted.

The bug is a reminder that two safe features can become dangerous when they interact in unexpected ways. As Qualys put it, timing and cleanup behaviors can change the security posture of a system. Patching and careful configuration remain the best immediate defenses.

#ubuntu #linuxsecurity #cve2026 #snapd #cybersecurity