snapd could be made to escalate privileges and run programs as administrator
Description
A race condition in snap-confine allows a local attacker to gain root privileges by bind-mounting arbitrary content into a snap's private mount namespace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in snap-confine allows a local attacker to gain root privileges by bind-mounting arbitrary content into a snap's private mount namespace.
Vulnerability
A race condition exists in the snap-confine binary (version 2.54.2) when preparing a private mount namespace for a snap. Specifically, during the execution of setup_private_mount(), an attacker can exploit a time-of-check-time-of-use (TOCTOU) flaw to bind-mount their own contents inside the snap's private mount namespace. This affects snapd versions prior to 2.54.3 on Ubuntu 18.04, 20.04, and 21.10 [3][4].
Exploitation
A local attacker with the ability to create a bind mount during the race window can cause snap-confine to execute arbitrary code. The attacker must be able to trigger the race condition by manipulating the filesystem while snap-confine is setting up the mount namespace. No special privileges beyond local access are required [4].
Impact
Successful exploitation allows the attacker to execute arbitrary code as root, resulting in full privilege escalation and compromise of the system. The attacker gains complete control over the affected host [3][4].
Mitigation
The vulnerability is fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04, and 2.54.3+21.10.1. Users should update snapd to the latest version via their package manager. No workaround is available [4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2.54.2
- Canonical Ltd./snapdv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QTBN7LLZISXIA4KU4UKDR27Q5PXDS2U/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGHG6LJAVJJ72TMART6A7N4Z6MSTGI7/mitrevendor-advisory
- www.debian.org/security/2022/dsa-5080mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Dec/4mitremailing-list
- www.openwall.com/lists/oss-security/2022/02/18/2mitremailing-list
- www.openwall.com/lists/oss-security/2022/02/23/1mitremailing-list
- www.openwall.com/lists/oss-security/2022/02/23/2mitremailing-list
- www.openwall.com/lists/oss-security/2022/11/30/2mitremailing-list
- packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.htmlmitre
- ubuntu.com/security/notices/USN-5292-1mitre
News mentions
0No linked articles in our index yet.