CareersInCloud
CVE-2026-3888: Ubuntu's snapd Has a Root Exploit — Here's What You Need to Know
ubuntusnapdCVE-2026-3888privilege-escalationsystemdlinux-securityqualyslocal-exploitpatch-now

CVE-2026-3888: Ubuntu's snapd Has a Root Exploit — Here's What You Need to Know

By Shiva19 Mar 2026CloudSutra

Qualys researchers have uncovered a nasty local privilege escalation bug in Ubuntu's snapd package, and if you're running any supported Ubuntu release with systemd-tmpfiles enabled, you'll want to patch this one today.

What's going on?

The vulnerability, tracked as CVE-2026-3888, lives in the way snapd handles its private /tmp directory. When systemd-tmpfiles is enabled to automatically clean up this directory — which is a pretty common configuration — it creates a brief but exploitable timing window.

Here's the problem: after systemd-tmpfiles wipes the directory, there's a small gap before snapd re-creates it. A local attacker with even a basic unprivileged account can race into that gap and re-create the directory themselves, with their own permissions or symlinks in place. From there, they can escalate to root.

This is a classic TOCTOU (time-of-check to time-of-use) race condition — a well-known class of bug that's easy to underestimate because it sounds tricky to pull off, but in practice can be reliably triggered.

How bad is it?

Ubuntu's security team rated this High priority, and the CVSS 3.1 score backs that up at 7.8 out of 10. The attack only requires a local account (no remote access needed), but the payoff for the attacker is full root — High impact on confidentiality, integrity, and availability. The Changed scope in the CVSS breakdown means a successful exploit breaks out of snap's confinement entirely and affects the wider host system.

Who is affected?

Every currently supported Ubuntu release is impacted, including LTS releases going back to 16.04 under Extended Security Maintenance (ESM).

  • Ubuntu 25.10 (Questing) — fixed in snapd 2.73+ubuntu25.10.1
  • Ubuntu 24.04 LTS (Noble) — fixed in snapd 2.73+ubuntu24.04.2
  • Ubuntu 22.04 LTS (Jammy) — fixed in snapd 2.73+ubuntu22.04.1
  • Ubuntu 20.04 LTS (Focal) — fixed in snapd 2.67.1+20.04ubuntu1~esm1
  • Ubuntu 18.04 LTS (Bionic) — fixed in snapd 2.61.4ubuntu0.18.04.1+esm2 (ESM)
  • Ubuntu 16.04 LTS (Xenial) — fixed in snapd 2.61.4ubuntu0.16.04.1+esm2 (ESM)

How to fix it

Run the following on any affected system:

sudo apt update && sudo apt install --only-upgrade snapd

If you're on Ubuntu 16.04 or 18.04, you'll need an active Ubuntu Pro subscription to pull the ESM patch.

Bottom line

This isn't a remote code execution bug, so it won't show up in mass exploitation campaigns the way a network-facing flaw would. But on any shared Linux system — cloud VMs, dev servers, anything with multiple local users — a local privilege escalation to root is a serious deal. The patch is already out, the fix is one command, and there's no reason to sit on this one.

References:

CloudSutraBack to all articles