CVE-2026-3888

Name of the Vulnerable Software and Affected Versions Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu 22.04 LTS Ubuntu 24.04 LTS Ubuntu 25.10 Ubuntu 26.04 Dev

Description A local privilege escalation issue exists in snapd due to an unintended interaction between snap-confine (the sandbox manager) and systemd-tmpfiles (the temporary directory cleaner). When systemd-tmpfiles is configured to automatically clean up the snap private /tmp directory (specifically /tmp/.snap), a local attacker can wait for the system to delete this directory and then recreate it with malicious content. During the next sandbox initialization, snap-confine performs a mount operation on the attacker-controlled directory with root authority, allowing the execution of arbitrary code as the root user. This process typically requires a waiting period of 10 to 30 days for the cleanup cycle to occur.

Recommendations For Ubuntu 24.04 LTS, update snapd and related packages to version 2.73+ubuntu24.04.2 or run sudo pro fix USN-8102-2. For Ubuntu 20.04 LTS, update snapd and related packages to version 2.67.1+20.04ubuntu1~esm1 or run sudo pro fix USN-8102-1. For Ubuntu 16.04 LTS, 18.04 LTS, 22.04 LTS, 25.10, and 26.04 Dev, update snapd to the latest patched version (e.g., version 2.73+ for 24.04+, 2.74.1+ for 26.04 Dev, or 2.75 for upstream). As a temporary mitigation, restrict access to the /tmp directory or disable the automatic cleanup of the /tmp/.snap directory via systemd-tmpfiles to prevent the race condition.