New Ubuntu Flaw Enables Local Attackers to Gain Root Access
A local privilege escalation vulnerability in Ubuntu Desktop 24.04 and later allows attackers to gain root access via a timing-based attack chain exploiting snap-confine and systemd-tmpfiles.
A newly identified local privilege escalation (LPE) vulnerability has been discovered affecting default installations of Ubuntu Desktop 24.04 and later, allowing attackers to gain full root access. The flaw, tracked as CVE-2026-3888, stems from the interaction between two core system components and was uncovered by the Qualys Threat Research Unit.
The issue arises from how snap-confine and systemd-tmpfiles operate together under certain conditions. While exploitation requires patience due to a built-in delay, the potential outcome is a complete system compromise. The flaw relies on a timing-based attack chain: attackers exploit automated system cleanup processes to replace critical directories with malicious content. Key steps include waiting for temporary file cleanup (which occurs after 10-30 days), recreating a deleted directory with malicious payloads, and triggering snap-confine to execute these files with root privileges.
Although the vulnerability has a CVSS score of 7.8, indicating high severity, its complexity is also rated high due to the required timing window. Still, no user interaction is needed, and only low-level access is required to begin the attack. The vulnerability impacts multiple Ubuntu releases, particularly those using snapd package versions before recent updates. Systems running Ubuntu Desktop 24.04 and newer are most at risk.
Users and organizations are advised to upgrade immediately to patched versions: Ubuntu 24.04 LTS: snapd 2.73+ubuntu24.04.2 or later; Ubuntu 25.10 LTS: snapd 2.73+ubuntu25.10.1 or later; Ubuntu 26.04 (development): snapd 2.74.1+ubuntu26.04.1 or later; Upstream snapd: version 2.75 or later. Legacy systems are not affected by default configurations but may still benefit from applying patches as a precaution.
During a separate review ahead of Ubuntu 25.10's release, Qualys said they identified another flaw in the uutils coreutils package. This issue involved a race condition in the rm utility that could allow attackers to manipulate file deletions during scheduled system tasks. The vulnerability was addressed before public release. Developers reverted to GNU coreutils as a temporary safeguard, while upstream fixes have since been implemented.
This discovery highlights the ongoing challenge of securing complex interactions between system components in Linux distributions. The timing-based nature of the exploit makes it difficult to detect, but the availability of patches means administrators can mitigate the risk by updating snapd promptly.