CVE-2026-3888

Name of the Vulnerable Software and Affected Versions Ubuntu 16.04 LTS (affected versions not specified) Ubuntu 18.04 LTS (affected versions not specified) Ubuntu 20.04 LTS versions prior to 2.67.1+20.04ubuntu1~esm1 Ubuntu 22.04 LTS (affected versions not specified) Ubuntu 24.04 LTS versions prior to 2.73+ubuntu24.04.2 Ubuntu 25.10 versions prior to 2.73+ubuntu25.10.1 Ubuntu 26.04 Dev versions prior to 2.74.1+ubuntu26.04.1 snapd versions prior to 2.75

Description A local privilege escalation issue exists in snapd due to an unintended interaction between snap-confine (the sandbox manager) and systemd-tmpfiles (the temporary directory cleaner). When systemd-tmpfiles is configured to automatically clean up the snap's private /tmp directory (specifically /tmp/.snap), a local unprivileged attacker can wait for the system to delete this directory—which typically occurs every 10 to 30 days depending on the version—and then recreate it with malicious content. During the subsequent sandbox initialization, snap-confine performs a bind-mount operation on the attacker-controlled directory with root authority, allowing the execution of arbitrary code as the root user. This process requires no user interaction.

Recommendations For Ubuntu 20.04 LTS, update snapd and related packages to version 2.67.1+20.04ubuntu1~esm1. For Ubuntu 24.04 LTS, update snapd and related packages to version 2.73+ubuntu24.04.2. For Ubuntu 25.10, update snapd to version 2.73+ubuntu25.10.1. For Ubuntu 26.04 Dev, update snapd to version 2.74.1+ubuntu26.04.1. For other installations, update snapd to version 2.75 or newer. As a temporary mitigation, restrict access to the /tmp directory or disable the automatic cleanup of the /tmp/.snap directory by systemd-tmpfiles to prevent the race condition.