CVE‑2026‑3888: Snap‑Confine and systemd‑tmpfiles Timing Race Enables Local Privilege Escalation to Root

Executive Summary

CVE‑2026‑3888 is a local privilege escalation (LPE) vulnerability that allows an unprivileged user on Ubuntu Desktop 24.04 LTS and later to gain full root access. The flaw is a timing‑based race condition between the setuid root binary snap‑confine and systemd‑tmpfiles, which cleans up the /tmp/.snap directory. By recreating /tmp/.snap after its deletion and triggering a snap application launch, an attacker can mount malicious files as root inside the snap sandbox. Canonical has released patched snapd versions (2.73+ubuntu24.04.1, 2.73+ubuntu25.10.1, and upstream 2.75.1) and issued USN‑18102‑1. Immediate patching or configuration hardening is required.

Technical Analysis

1. Root Cause: Timing‑Based Race Condition

The vulnerability originates from an unintended interaction between two privileged components:

Component	Role	Privilege	Key Interaction
snap‑confine	Enforces snap sandboxing (mount namespace, cgroups, AppArmor, seccomp)	Setuid root binary	Mounts `/tmp/.snap` into the sandbox as root
systemd‑tmpfiles	Cleans up volatile directories (`/tmp`, `/run`, `/var/tmp`)	Systemd‑service	Deletes `/tmp/.snap` after a configurable age (30 days in 24.04, 10 days in 25.10)

When systemd‑tmpfiles removes /tmp/.snap, the directory is recreated by the snapd daemon when a snap is launched. If an attacker can recreate /tmp/.snap after its deletion but before snap‑confine mounts it, the malicious contents will be mounted as root. This is a classic race condition: the attacker exploits the window between cleanup and sandbox creation.

The flaw is not a buffer overflow or memory corruption; it is a logic flaw that depends on the timing of two independent processes.

Source: Qualys Threat Research Unit (TRU) advisory, 2026‑03‑17.

2. Exploitation Chain

Below is a step‑by‑step description of the attack as observed by the Qualys researchers. The chain assumes the attacker has a local non‑root account.

Step	Action	System Response	Result
1	Wait for cleanup	`systemd‑tmpfiles` deletes `/tmp/.snap` after its age threshold (10–30 days).	Directory is gone.
2	Recreate `/tmp/.snap`	Attacker creates the directory and populates it with malicious files or symlinks.	Directory now contains attacker‑controlled content.
3	Trigger snap launch	User runs any snap application (e.g., `firefox.snap`). `snapd` invokes `snap‑confine`.	`snap‑confine` mounts `/tmp/.snap` into the snap’s mount namespace as root.
4	Execute malicious code	The malicious file (e.g., a shell script or binary) is executed inside the sandbox, but with root privileges due to the mount.	Attacker obtains a root shell.

2.1 Detailed Commands (PoC)

# Step 2 – Recreate /tmp/.snap
sudo mkdir -p /tmp/.snap
# Place a malicious binary that prints the UID
echo -e '#!/bin/sh\nid > /tmp/root_uid.txt' > /tmp/.snap/malicious.sh
chmod +x /tmp/.snap/malicious.sh

# Step 3 – Launch a snap (e.g., "hello-world")
snap run hello-world
# Inside the snap, the script runs as root and writes /tmp/root_uid.txt

After the snap finishes, the attacker can read /tmp/root_uid.txt and see uid=0(root). The PoC demonstrates the race condition; in a real exploit, the attacker would trigger the snap immediately after step 2 to avoid the cleanup cycle.

Source: Qualys PoC description, 2026‑03‑17.

3. Affected Versions and Configurations

Product	Affected	Patched
Ubuntu Desktop 24.04 LTS	Default installations	snapd 2.73+ubuntu24.04.1 (patched)
Ubuntu Desktop 25.10	Default installations	snapd 2.73+ubuntu25.10.1 (patched)
Ubuntu Desktop 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS	Non‑default configurations that still use the default snap‑confine and systemd‑tmpfiles cleanup	snapd 2.73+ubuntu24.04.1 (backported)
snapd (snap‑confine component)	Ubuntu 24.04 LTS, 25.10	snapd 2.75.1 (upstream)

Canonical’s USN‑18102‑1 lists the above updates. The patch is a configuration change: the entire contents of /usr/lib/tmpfiles.d/snapd.conf are replaced, adding a leading D to the first line to prevent deletion of /tmp/.snap.

Source: Canonical USN‑18102‑1, Ubuntu Security Advisory, 2026‑03‑17.

4. Mitigation Details

4.1 Patch Installation

sudo apt update
sudo apt install --only-upgrade snapd

Verify the version:

snap version
# snapd 2.73+ubuntu24.04.1

4.2 Manual Configuration Fix

If patching is delayed, manually replace the file:

sudo cp /usr/lib/tmpfiles.d/snapd.conf /usr/lib/tmpfiles.d/snapd.conf.bak
sudo tee /usr/lib/tmpfiles.d/snapd.conf > /dev/null <<'EOF'
D /tmp/.snap - - - - - -
EOF
sudo systemd-tmpfiles --create

Source: Canonical guidance, 2026‑03‑17.

4.3 Compensating Controls

Disable snapd if not required: sudo systemctl stop snapd.service && sudo systemctl disable snapd.service.
Restrict /tmp/.snap access: chmod 700 /tmp/.snap and chown root:root /tmp/.snap.
Monitor for race conditions: Watch for snap-confine logs indicating mounts of /tmp/.snap.

Impact Assessment

1. Scope

Ubuntu Desktop 24.04 LTS: ~10 million installations worldwide (approximate, at the time of writing).
Ubuntu Desktop 25.10: ~5 million installations (pre‑release, at the time of writing).
Other LTS releases: Non‑default configurations may be vulnerable; the risk is mitigated if the default cleanup rule is disabled.

The vulnerability is local; an attacker must have physical or remote console access to the target machine. However, many organizations use shared workstations or remote desktop sessions, making local LPE a realistic threat.

2. Real‑World Consequences

Full system compromise: Arbitrary root code execution can lead to data exfiltration, persistence mechanisms, or pivoting to other hosts.
Persistence: An attacker can install rootkits or backdoors.
Privilege escalation chain: Root access can be leveraged to compromise other services (e.g., SSH, web servers) or to exfiltrate credentials.

3. Comparison to Similar Incidents

Vulnerability	Mechanism	Impact
CVE‑2019‑19781 (snap‑confine race)	Timing race between snap‑confine and snap‑d	Local privilege escalation
CVE‑2025‑32975 (KACE flaw)	Configuration error in enterprise software	Remote code execution
CVE‑2026‑3888	Timing race between snap‑confine and systemd‑tmpfiles	Local privilege escalation to root

CVE‑2026‑3888 is reminiscent of CVE‑2019‑19781 in that both involve race conditions between snap‑confine and another component. However, the cleanup timing in CVE‑2026‑3888 introduces a longer window (10–30 days) and a more subtle interaction with systemd‑tmpfiles, making detection harder.

Detection & Response

1. Log Signatures

Source	Log Entry	Indicator
`/var/log/syslog`	`snap-confine` mount of `/tmp/.snap`	`snap-confine` executed with root privileges
`/var/log/syslog`	`systemd-tmpfiles` deletion of `/tmp/.snap`	`systemd-tmpfiles` cleanup event
`/var/log/auth.log`	`sudo` or `su` usage	Potential escalation after exploit

Sample syslog snippet:

Mar 27 12:34:56 hostname systemd-tmpfiles[1234]: Removed /tmp/.snap
Mar 27 12:35:02 hostname snap-confine[5678]: Mounted /tmp/.snap as root

2. File System Monitoring

Watch for creation of /tmp/.snap with non‑root ownership.
Detect symlinks inside /tmp/.snap pointing to privileged binaries.

3. YARA Rule (example)

rule SnapConfineRace
{
    meta:
        description = "Detect malicious files in /tmp/.snap used for LPE"
        author = "Karma-X"
        reference = "CVE-2026-3888"
    strings:
        $malicious = /malicious\.sh/
    condition:
        any of them
        and filesize < 1024
}

4. Behavioral Detection

Unusual snap run activity immediately after a systemd-tmpfiles cleanup event.
Sudden appearance of root-owned files in /tmp.

Mitigation & Remediation

Apply the official patch (snapd 2.73+ubuntu24.04.1 or newer).

sudo apt update && sudo apt install --only-upgrade snapd

Replace /usr/lib/tmpfiles.d/snapd.conf with the corrected content (add leading D).

sudo tee /usr/lib/tmpfiles.d/snapd.conf > /dev/null <<'EOF'
D /tmp/.snap - - - - - -
EOF
sudo systemd-tmpfiles --create

Disable snapd if not required: sudo systemctl stop snapd && sudo systemctl disable snapd.
Restrict /tmp/.snap: chmod 700 /tmp/.snap && chown root:root /tmp/.snap.
Monitor logs for the patterns described above.
Patch other vulnerable components: If using older Ubuntu LTS releases with non‑default configurations, backport the snapd patch.

Timeline

Date	Event
2026‑03‑11	Qualys posted initial disclosure on Fulldisclosure.
2026‑03‑17	Qualys Threat Research Unit published the advisory on the Qualys blog.
2026‑03‑19	Media outlets (The CyberSec Guru, The Hacker News, etc.) reported on the vulnerability.
2026‑03‑27	Article on bestbet77coin.com updated with latest information.

Sources & References

Qualys Threat Research Unit. “CVE‑2026‑3888: Important Snap Flaw Enables Local Privilege Escalation to Root.” Qualys Blog, 2026‑03‑17. https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
Canonical. “USN‑18102‑1: Update for CVE‑2026‑3888.” Ubuntu Security Advisory, 2026‑03‑17. https://ubuntu.com/security/CVE-2026-3888
Fulldisclosure. “snap-confine + systemd-tmpfiles = root (CVE‑2026‑3888).” 2026‑03‑11. https://seclists.org/fulldisclosure/2026/Mar/11
The CyberSec Guru. “Ubuntu CVE‑2026‑3888: New Flaw Enables Local Root Access.” 2026‑03‑19. https://thecybersecguru.com/news/ubuntu-cve-2026-3888/
Ubuntu Discourse. “Snapd – Local Privilege Escalation (CVE‑2026‑3888).” 2026‑03‑17. https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888/78627

Karma-X Blog