Thedarktangent

**Name of the Vulnerable Software and Affected Versions** Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu 22.04 LTS Ubuntu 24.04 LTS Ubuntu 25.10 LTS Ubuntu 26.04 LTS (Dev) snapd versions prior to 2.75 **Description** A local privilege escalation issue exists in snapd due to an unintended interaction between `snap-confine` (the sandbox manager) and `systemd-tmpfiles` (the temporary directory cleaner). When `systemd-tmpfiles` is configured to automatically clean up the snap's private `/tmp` directory (specifically `/tmp/.snap`), a local unprivileged attacker can wait for the system to delete this directory—which typically occurs every 10 to 30 days depending on the version—and then recreate it with malicious content. During the subsequent sandbox initialization, `snap-confine` performs a bind-mount operation on the attacker-controlled directory using root authority, allowing the execution of arbitrary code with root privileges. **Recommendations** For Ubuntu 24.04 LTS, update `snapd`, `snap-confine`, `ubuntu-snappy`, `ubuntu-core-launcher`, `ubuntu-core-snapd-units`, `snapd-xdg-open`, `golang-github-snapcore-snapd-dev`, and `golang-github-ubuntu-core-snappy-dev` to version 2.73+ubuntu24.04.2 or run `sudo pro fix USN-8102-2`. For Ubuntu 20.04 LTS, update `snapd`, `snap-confine`, `ubuntu-snappy`, `ubuntu-core-launcher`, `ubuntu-core-snapd-units`, `snapd-xdg-open`, `golang-github-snapcore-snapd-dev`, and `golang-github-ubuntu-core-snappy-dev` to version 2.67.1+20.04ubuntu1~esm1 or run `sudo pro fix USN-8102-1`. For Ubuntu 25.10 LTS, update `snapd` to version 2.73+ubuntu25.10.1 or newer. For Ubuntu 26.04 LTS (Dev), update `snapd` to version 2.74.1+ubuntu26.04.1 or newer. For other affected versions, update `snapd` to version 2.75 or newer.