"This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles. While the exploit requires a specific time-based window (10-30 days), the resulting impact is a complete compromise of the host system."
"The problem stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g., /tmp, /run, and /var/tmp) older than a defined threshold."
"In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp. An attacker can exploit this by manipulating the timing of these cleanup cycles. The attacker must wait for the system's cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine, then recreate it with malicious payloads."
CVE-2026-3888 (CVSS 7.8) affects Ubuntu Desktop 24.04 and later versions, enabling unprivileged local attackers to escalate privileges to root level. The vulnerability stems from unintended interaction between snap-confine, which manages sandbox environments for snap applications, and systemd-tmpfiles, which automatically removes temporary files and directories older than defined thresholds. The exploit requires a specific time-based window of 10-30 days and high attack complexity, but results in complete system compromise. Patches are available for Ubuntu 24.04 LTS, 25.10 LTS, 26.04 LTS, and upstream snapd versions. The attack involves waiting for cleanup daemons to delete critical directories, then recreating them with malicious payloads.
#ubuntu-security-vulnerability #privilege-escalation #cve-2026-3888 #snap-package-manager #system-administration
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]