CVE-2026-3888: Ubuntu Desktop 24.04+ vulnerable to Root exploit

Ubuntu flaw CVE-2026-3888 lets attackers gain root via a systemd timing exploit, affecting Desktop 24.04+ with high severity.

Qualys researchers found a high-severity flaw, tracked as CVE-2026-3888 (CVSS score of 7.8), in Ubuntu Desktop 24.04+, which allows attackers to exploit a systemd cleanup timing issue to escalate privileges to root and potentially take full control of vulnerable systems.

The bug relies on a cleanup window of 10–30 days, but can ultimately lead to full system compromise. It stems from how snap-confine manages privileged execution and how systemd-tmpfiles removes old temporary files.

“The Qualys Threat Research Unit has identified a Local Privilege Escalation (LPE) vulnerability affecting default installations of Ubuntu Desktop version 24.04 and later. This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.” reads the advisory.

“While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system.”

CVE-2026-3888 impacts Ubuntu’s snap system and involves two components: snap-confine and systemd-tmpfiles. snap-confine sets up secure app environments, while systemd-tmpfiles cleans temporary files. The flaw happens when an attacker waits for a key folder to be deleted, then recreates it with malicious files. When snap-confine later initializes a sandbox, it mounts these files as root, enabling privilege escalation. Rated high severity (CVSS score of 7.8), the attack requires local access and timing but can lead to full system compromise, impacting confidentiality, integrity, and availability.

“While the CVSS score reflects a High severity, the Attack Complexity is High due to an inherent time-delay mechanism in the exploit chain.” reads the report published by Qualys. “In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp. An attacker can exploit this by manipulating the timing of these cleanup cycles. Specifically, the attack vector involves:

• During the next sandbox initialization, snap-confine bind-mounts these files as root, allowing the execution of arbitrary code within the privileged context.”
• The attacker must wait for the system’s cleanup daemon (30 days in Ubuntu 24.04; 10 days in later versions) to delete a critical directory (/tmp/.snap) required by snap-confine.
• Once deleted, the attacker recreates the directory with malicious payloads.”

Multiple snapd versions are vulnerable to CVE-2026-3888. Systems running Ubuntu Desktop 24.04+ should urgently update to patched releases (2.73+ or later). Upstream versions below 2.75 are also affected. While older Ubuntu versions aren’t vulnerable by default, applying patches is recommended to reduce risk in non-standard configurations.

Additionally, the researchers found a separate flaw in the uutils coreutils package and fixed it before the release of Ubuntu 25.10 through coordination with the Ubuntu Security Team.

“A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (specifically /etc/cron.daily/apport). Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.” continues the advisory. “The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ubuntu)