Ubuntu CVE-2026-3888 Vulnerability Allows Root Access Through systemd Cleanup Timing Exploit

Cybersecurity researchers have disclosed a serious vulnerability in Ubuntu Desktop that could allow attackers to escalate privileges to root on affected systems.

Tracked as CVE-2026-3888, the flaw carries a CVSS score of 7.8 and affects default installations of Ubuntu 24.04 LTS and later versions.

According to the Qualys  Threat Research Unit (TRU), the vulnerability arises from the interaction between two system components: snap-confine, which manages sandboxed execution for snap applications, and systemd-tmpfiles, which periodically cleans temporary directories such as /tmp, /run, and /var/tmp.

“This flaw allows an unprivileged local attacker to escalate to full root access via a time-based exploit chain involving snap-confine and systemd-tmpfiles,” Qualys researchers said. “Although the attack requires a specific timing window, the resulting impact is a full system compromise.”

How the Vulnerability Works

The exploit leverages the scheduled cleanup of temporary files by systemd-tmpfiles:

  1. The cleanup daemon deletes critical directories used by snap-confine, such as /tmp/.snap. The default deletion period is 30 days for Ubuntu 24.04 and 10 days for later releases.
  2. After deletion, an attacker recreates the directory with malicious payloads.
  3. During the next snap sandbox initialization, snap-confine binds the attacker’s files as root, allowing arbitrary code execution in a privileged context.

Qualys also identified a related race condition in the uutils coreutils package, which allows a local attacker to replace directory entries with symbolic links during root-owned cron executions. Exploiting this flaw could lead to arbitrary file deletion or further privilege escalation targeting snap sandbox directories.

Affected Ubuntu and snapd Versions

The vulnerability has been patched in the following versions:

  • Ubuntu 24.04 LTS – snapd versions prior to 2.73+ubuntu24.04.1
  • Ubuntu 25.10 LTS – snapd versions prior to 2.73+ubuntu25.10.1
  • Ubuntu 26.04 LTS (Dev) – snapd versions prior to 2.74.1+ubuntu26.04.1
  • Upstream snapd – versions prior to 2.75

Attackers require low privileges and no user interaction, but the exploit is complex due to the timing requirements.




Found this article interesting? Follow us on  X (Twitter) FacebookBlue sky and LinkedIn to read more exclusive content we post.