A newly disclosed flaw in Ubuntu 24.04 and later versions gives local attackers a path to full root access — no special permissions required. The catch? They just have to be patient.
What Happened?
Security researchers at Qualys Threat Research Unit (TRU) disclosed CVE-2026-3888 on March 17, 2026 — a high-severity privilege escalation vulnerability affecting default installations of Ubuntu Desktop 24.04 and later. It carries a CVSS score of 7.8.
The flaw doesn’t come from a single broken component. It’s the result of two standard system utilities interacting in an unintended way: snap-confine, which builds sandboxed environments for snap applications, and systemd-tmpfiles, which periodically purges old temporary files from directories like /tmp.
Here’s how it plays out. When systemd-tmpfiles deletes a critical directory — /tmp/.snap — that snap-confine depends on, an attacker can step in and recreate that directory with malicious files. The next time snap-confine initializes a sandbox, it bind mounts those files as root, allowing arbitrary code execution with full system privileges.
The waiting period before systemd-tmpfiles clears that directory is 30 days on Ubuntu 24.04 and 10 days on later versions. That’s the window an attacker works within — no special user interaction needed.
Qualys also flagged a separate race condition bug in the uutils coreutils package that could allow a local attacker to swap directory entries with symbolic links during root-owned cron jobs, potentially leading to arbitrary file deletion or further privilege escalation.
What’s the Impact?
The end result is full compromise of the host system. An attacker who successfully chains the timing exploit gains root-level access — the highest level of control on a Linux system.
Because the attack requires only low privileges and no user interaction, it’s a realistic threat in shared or multi-user environments. The high attack complexity (the attacker must time the cleanup cycle) is the only real barrier, but that’s not a reliable protection.
Ubuntu releases 24.04, 25.10, and 26.04 (Dev) are all affected. The Qualys team also noted that the race condition in uutils was significant enough that Ubuntu 25.10 reverted its default rm command back to GNU coreutils as an immediate mitigation.
How to Avoid This
Patches are already available. Here’s what’s fixed:
- Ubuntu 24.04 LTS — update snapd to version 2.73+ubuntu24.04.1 or later
- Ubuntu 25.10 — update to 2.73+ubuntu25.10.1 or later
- Ubuntu 26.04 LTS (Dev) — update to 2.74.1+ubuntu26.04.1 or later
- Upstream snapd — versions 2.75 and above are patched
Run sudo apt update && sudo apt upgrade to pick up the fix. If you’re managing Ubuntu endpoints across a fleet, prioritize the snapd update — especially on machines where multiple users have local access.
It’s also worth auditing which systems still run Ubuntu 24.04 without the patch. Given that the exploit window is tied to systemd-tmpfiles cleanup schedules (10–30 days), any unpatched machine that’s been running for that long is already in the risk window.
