Qualys Uncovers Critical Local Privilege Escalation Vulnerability in Ubuntu Desktop 24.04 and Later
Security researchers at Qualys Threat Research Unit (TRU) have reported a local privilege escalation vulnerability, tracked as CVE-2026-3888, affecting default installations of Ubuntu Desktop 24.04 and later versions. The flaw enables an unprivileged local user to gain full root access under specific conditions.
Vulnerability Overview
The vulnerability stems from an interaction between the snap-confine utility and systemd-tmpfiles on Ubuntu Desktop systems where Snap is installed in its standard configuration. Qualys assigned a high severity rating with a CVSS v3.1 score of 7.8 out of 10.
The vulnerability stems from an interaction between the
snap-confineutility andsystemd-tmpfileson Ubuntu Desktop systems where Snap is installed in its standard configuration.
The attack vector is local, requires low privileges, and no user interaction, but is characterized by high attack complexity. Successful exploitation could lead to a complete compromise of confidentiality, integrity, and availability of the affected system.
Exploit Mechanism
Exploitation of CVE-2026-3888 relies on a time-based window associated with the operating system's cleanup of temporary files. Attackers must wait for systemd-tmpfiles to remove a specific directory located in /tmp that snap-confine utilizes during its sandbox setup process. The cleanup threshold is approximately 30 days for Ubuntu 24.04 and potentially 10 days for later versions.
Once the directory is removed, an attacker can recreate it with malicious content. Subsequently, when snap-confine initializes the next Snap sandbox, it can bind-mount attacker-controlled files as root. This action enables arbitrary code execution within a privileged context, potentially leading to full root access.
Key components involved in this vulnerability include:
snapd: The background service managing Snap packages, responsible for installation, updates, and permission enforcement.snap-confine: Aset-user-ID-rootbinary that operates with elevated privileges to prepare the sandbox for Snap applications.systemd-tmpfiles: A service that manages volatile directories like/tmp,/run, and/var/tmp, handling file and directory creation and removal based on configured rules and age thresholds.
Affected Releases and Remediation
Qualys identified vulnerable snapd package versions across several Ubuntu releases and upstream snapd development:
- Ubuntu 24.04 LTS: Versions prior to
2.73+ubuntu24.04.1. - Ubuntu 25.10 LTS: Versions prior to
2.73+ubuntu25.10.1. - Ubuntu 26.04 LTS (Dev): Versions prior to
2.74.1+ubuntu26.04.1. - Upstream
snapd: Versions prior to2.75.
Older Ubuntu LTS releases (16.04 through 22.04) are not vulnerable in their default configurations; however, Qualys recommended applying the patch as a precautionary measure for non-default setups.
Organizations utilizing Ubuntu Desktop 24.04 or later are advised to apply available patches immediately.
Secondary Issue: uutils coreutils Race Condition
During the review process for Ubuntu Desktop 25.10, Qualys identified a separate vulnerability involving uutils coreutils, a Rust-based rewrite of standard GNU utilities. This issue concerned a race condition within the rm utility.
An unprivileged local attacker could exploit this condition to replace directory entries with symlinks during root-owned cron executions, specifically /etc/cron.daily/apport. This could result in arbitrary file deletion as root and potential further escalation if Snap sandbox directories were targeted.
This secondary issue was mitigated prior to Ubuntu 25.10's public release. Ubuntu 25.10 reverted its default rm command to GNU coreutils, and upstream fixes were applied to the uutils repository.