A newly identified local privilege escalation (LPE) vulnerability has been discovered affecting default installations of Ubuntu Desktop 24.04 and later, allowing attackers to gain full root access.
The flaw, tracked as CVE-2026-3888, stems from the interaction between two core system components and was uncovered by the Qualys Threat Research Unit.
The issue arises from how snap-confine and systemd-tmpfiles operate together under certain conditions. While exploitation requires patience due to a built-in delay, the potential outcome is a complete system compromise.
A Timing-Based Attack Chain
The flaw relies on a timing-based attack chain. Specifically, attackers exploit automated system cleanup processes to replace critical directories with malicious content.
Key elements of the attack include:
-
Waiting for temporary file cleanup, which occurs after 10-30 days, depending on the system version
-
Recreating a deleted directory with malicious payloads
-
Triggering snap-confine to execute these files with root privileges
Although the vulnerability has a CVSS score of 7.8, indicating high severity, its complexity is also rated high due to the required timing window.
Still, no user interaction is needed, and only low-level access is required to begin the attack.
Affected Systems and Fixes
The vulnerability impacts multiple Ubuntu releases, particularly those using snapd package versions before recent updates. Systems running Ubuntu Desktop 24.04 and newer are most at risk.
Users and organizations are advised to upgrade immediately to patched versions:
-
Ubuntu 24.04 LTS: snapd 2.73+ubuntu24.04.2 or later
-
Ubuntu 25.10 LTS: snapd 2.73+ubuntu25.10.1 or later
-
Ubuntu 26.04 (development): snapd 2.74.1+ubuntu26.04.1 or later
-
Upstream snapd: version 2.75 or later
Legacy systems are not affected by default configurations but may still benefit from applying patches as a precaution.
Read more on Linux privilege escalation vulnerabilities: CrackArmor Flaws Expose Linux Systems to Privilege Escalation
During a separate review ahead of Ubuntu 25.10’s release, Qualys said they identified another flaw in the uutils coreutils package.
This issue involved a race condition in the rm utility that could allow attackers to manipulate file deletions during scheduled system tasks.
The vulnerability was addressed before public release. Developers reverted to GNU coreutils as a temporary safeguard, while upstream fixes have since been implemented.
