Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html
Publish Date: 2026-03-18 04:08:00
Source Domain: thehackernews.com
A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level.
Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system.
“This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles,” the Qualys Threat Research Unit (TRU) said. “While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system.”
The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older than a defined threshold.
The vulnerability has been patched in the following versions –
- Ubuntu 24.04 LTS – snapd versions prior to 2.73+ubuntu24.04.1
- Ubuntu 25.10 LTS – snapd versions prior to 2.73+ubuntu25.10.1
- Ubuntu 26.04 LTS (Dev) – snapd versions prior to 2.74.1+ubuntu26.04.1
- Upstream snapd – versions prior to 2.75
The attack requires low privileges and no user interaction, although the attack complexity is high due to the time-delay mechanism in the exploit chain.
“In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp,” Qualys said. “An attacker can exploit this by manipulating the timing of these cleanup cycles.”
The attack plays out in the following manner –
- The attacker must wait for the system’s cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions.
- Once deleted, the attacker recreates the directory with…
