Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
CVE-2026-3888 is a high-severity privilege escalation vulnerability in Ubuntu Desktop 24.04 and later that exploits a timing race condition between snap-confine and systemd-tmpfiles to allow unprivileged local attackers to gain root access. The exploit requires a specific 10–30 day window for the systemd cleanup daemon to delete critical directories, after which an attacker can inject malicious payloads that execute with root privileges during snap sandbox initialization. Patches are available in snapd 2.73+ for Ubuntu 24.04/25.10 and 2.74.1+ for Ubuntu 26.04.
Summary
CVE-2026-3888 is a high-severity privilege escalation vulnerability in Ubuntu Desktop 24.04 and later that exploits a timing race condition between snap-confine and systemd-tmpfiles to allow unprivileged local attackers to gain root access. The exploit requires a specific 10–30 day window for the systemd cleanup daemon to delete critical directories, after which an attacker can inject malicious payloads that execute with root privileges during snap sandbox initialization. Patches are available in snapd 2.73+ for Ubuntu 24.04/25.10 and 2.74.1+ for Ubuntu 26.04.
Full text
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit Ravie LakshmananMar 18, 2026Linux / Endpoint Security A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system. "This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles," the Qualys Threat Research Unit (TRU) said. "While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system." The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older than a defined threshold. The vulnerability has been patched in the following versions - Ubuntu 24.04 LTS - snapd versions prior to 2.73+ubuntu24.04.1 Ubuntu 25.10 LTS - snapd versions prior to 2.73+ubuntu25.10.1 Ubuntu 26.04 LTS (Dev) - snapd versions prior to 2.74.1+ubuntu26.04.1 Upstream snapd - versions prior to 2.75 The attack requires low privileges and no user interaction, although the attack complexity is high due to the time-delay mechanism in the exploit chain. "In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp," Qualys said. "An attacker can exploit this by manipulating the timing of these cleanup cycles." The attack plays out in the following manner - The attacker must wait for the system's cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions. Once deleted, the attacker recreates the directory with malicious payloads. During the next sandbox initialization, snap-confine bind mounts these files as root, allowing the execution of arbitrary code within the privileged context. In addition, Qualys said it discovered a race condition flaw in the uutils coreutils package that allows an unprivileged local attacker to replace directory entries with symbolic links (aka symlinks) during root-owned cron executions. "Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories," the cybersecurity company said. "The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE cybersecurity, endpoint security, linux, Open Source, privilege escalation, system security, Ubuntu, Vulnerability Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps
Indicators of Compromise
- cve — CVE-2026-3888