CVE-2026-3888

Name of the Vulnerable Software and Affected Versions Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu 22.04 LTS Ubuntu 24.04 LTS Ubuntu 25.10 LTS Ubuntu 26.04 LTS (Dev) snapd versions prior to 2.75

Description A local privilege escalation issue exists in snapd due to an unintended interaction between snap-confine (the sandbox manager) and systemd-tmpfiles (the temporary directory cleaner). When systemd-tmpfiles is configured to automatically clean up the snap's private /tmp directory (specifically /tmp/.snap), a local unprivileged attacker can wait for the system to delete this directory—which typically occurs every 10 to 30 days depending on the version—and then recreate it with malicious content. During the subsequent sandbox initialization, snap-confine performs a bind-mount operation on the attacker-controlled directory using root authority, allowing the execution of arbitrary code with root privileges.

Recommendations For Ubuntu 24.04 LTS, update snapd, snap-confine, ubuntu-snappy, ubuntu-core-launcher, ubuntu-core-snapd-units, snapd-xdg-open, golang-github-snapcore-snapd-dev, and golang-github-ubuntu-core-snappy-dev to version 2.73+ubuntu24.04.2 or run sudo pro fix USN-8102-2. For Ubuntu 20.04 LTS, update snapd, snap-confine, ubuntu-snappy, ubuntu-core-launcher, ubuntu-core-snapd-units, snapd-xdg-open, golang-github-snapcore-snapd-dev, and golang-github-ubuntu-core-snappy-dev to version 2.67.1+20.04ubuntu1~esm1 or run sudo pro fix USN-8102-1. For Ubuntu 25.10 LTS, update snapd to version 2.73+ubuntu25.10.1 or newer. For Ubuntu 26.04 LTS (Dev), update snapd to version 2.74.1+ubuntu26.04.1 or newer. For other affected versions, update snapd to version 2.75 or newer.