A newly identified Local Privilege Escalation (LPE) vulnerability impacting default installations of Ubuntu Desktop 24.04 and newer versions enables attackers with limited local access to obtain full root privileges. Cataloged as CVE-2026-3888, the issue was discovered by the Qualys Threat Research Unit. It stems from an unexpected interaction between two core system components snap-confine and systemd-tmpfiles both of which are deeply integrated into Ubuntu’s default environment, increasing the severity of the flaw.

Ubuntu’s snapd service is responsible for managing snap packages self-contained applications that include their own dependencies. Beyond package handling, snapd also enforces strict security policies, controlling what resources each application can access.

At the center of this vulnerability are two critical elements:

  • snap-confine: A setuid root binary that prepares the secure sandbox environment for snap applications. It manages isolation mechanisms such as mount namespaces, cgroups, AppArmor profiles, and seccomp filtering to ensure application confinement.

  • systemd-tmpfiles: A utility that creates and maintains temporary directories like /tmp, /run, and /var/tmp. It also periodically removes outdated files, which, if not carefully handled, can introduce race conditions and symlink-based attack vectors.

The exploit does not require user interaction and can be executed by a low-privileged local user. Once successful, it results in a “changed scope” impact allowing attackers to compromise system resources beyond the vulnerable components, affecting confidentiality, integrity, and availability. Despite its high impact, the attack involves a time-based strategy due to how system cleanup is scheduled. On Ubuntu 24.04, temporary files in /tmp are cleared after 30 days, while newer versions reduce this period to 10 days. The exploitation process unfolds in three steps:

  1. The attacker waits for the system cleanup process to remove the /tmp/.snap directory, which is used during snap sandbox initialization.

  2. After deletion, the attacker recreates the directory and inserts malicious files.

  3. When snap-confine runs again, it bind-mounts these attacker-controlled files with root privileges, enabling arbitrary code execution and full system compromise.

Systems running older Ubuntu LTS releases  are not affected under default settings. However, Qualys advises applying patches even on these systems if they have non-standard configurations.

In a separate finding during a pre-release security audit for Ubuntu 25.10, Qualys researchers uncovered a race condition in the utils coreutils package a Rust-based alternative to GNU core utilities. The vulnerability was identified in the command, where attackers could exploit timing issues to replace files with symbolic links during automated root-level cron jobs, particularly targeting /etc/cron.daily/apport. This could lead to unauthorized file deletion or further privilege escalation by manipulating snap-related directories. To mitigate the risk, the Ubuntu Security Team reverted the default implementation of the rm utility back to the traditional GNU coreutils before the release of Ubuntu 25.10. The issue has since been addressed upstream in the uutils project.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com