Overview
- CVE-2026-3888 allows a local, unprivileged user to gain root on default Ubuntu Desktop 24.04 and newer by abusing the interaction of snap-confine and systemd-tmpfiles.
- The exploit hinges on a 10–30 day cleanup window in which /tmp/.snap is removed, letting an attacker recreate it so snap-confine later bind-mounts malicious files as root.
- Patches are available in snapd 2.73+ubuntu24.04.1 (24.04), 2.73+ubuntu25.10.1 (25.10), 2.74.1+ubuntu26.04.1 (26.04 dev), and upstream 2.75; earlier builds are vulnerable.
- The flaw carries a CVSS v3.1 score of 7.8 with high attack complexity due to the time-delay mechanism, and older Ubuntu releases are not vulnerable by default but should be patched in non-default setups.
- Qualys published technical details and detection coverage and advises immediate patching, and it separately reported a uutils rm race that was mitigated before Ubuntu 25.10 shipped.