A high-severity security flaw affecting the default installation of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level.
This issue, tracked as CVE-2026-3888 (CVSS score: 7.8), could allow an attacker to gain control of a susceptible system.
“This flaw (CVE-2026-3888) allows a local unprivileged attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles,” said Qualys Threat Research Unit (TRU). “The exploit requires a specific time-based period (10-30 days), but results in a complete compromise of the host system.”
Qualys points out that the issue is due to an unintended interaction between snap-confine, which creates a sandbox and manages the execution environment for snap applications, and systemd-tmpfiles, which automatically cleans up temporary files and directories (such as /tmp, /run, and /var/tmp) that are older than a defined threshold.
This vulnerability is fixed in the following versions:
Ubuntu 24.04 LTS – snapd versions before 2.73+ubuntu24.04.1 Ubuntu 25.10 LTS – snapd versions before 2.73+ubuntu25.10.1 Ubuntu 26.04 LTS (Dev) – snapd versions before 2.74.1+ubuntu26.04.1 Upstream snapd – versions 2.75 prior to 2.73+ubuntu26.04.1
Although this attack requires low privileges and does not require user interaction, the time delay mechanism in the exploit chain increases the complexity of the attack.
“By default, systemd-tmpfiles is scheduled to delete old data in /tmp,” Qualys said. “An attacker could exploit this by manipulating the timing of these cleanup cycles.”
The attack unfolds as follows.
The attacker would have to wait for the system cleanup daemon to remove the critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days on Ubuntu 24.04 and 10 days on later versions. Once removed, the attacker recreates the directory containing the malicious payload. During the next sandbox initialization, the snap-confine binding mounts these files as root, allowing arbitrary code execution within a privileged context.
Additionally, Qualys announced that it had discovered a race condition flaw in the uutils coreutils package. This flaw allows a local unprivileged attacker to replace directory entries with symbolic links (also known as symbolic links) during root-owned cron execution.
“A successful exploit could allow the attacker to delete arbitrary files as root or target the Snap Sandbox directory for further privilege escalation,” the cybersecurity firm said. “This vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. To immediately mitigate this risk, the default rm command in Ubuntu 25.10 was reverted to GNU coreutils. An upstream fix was then applied to the uutils repository.”
Source link
