A serious security flaw has been discovered in Ubuntu Desktop versions 24.04 and later, allowing attackers to gain root access. Tracked as CVE-2026-3888 with a CVSS score of 7.8, this vulnerability is considered high risk because it can result in full system compromise.

The issue stems from the interaction between two standard components: snap-confine and systemd-tmpfiles. Snap-confine is responsible for creating sandbox environments for snap applications, while systemd-tmpfiles automatically cleans up temporary directories such as /tmp, /run, and /var/tmp. This combination creates a timing-based gap that attackers can exploit.

In a typical attack scenario, the attacker only needs low-privileged local access and no user interaction. They wait for the system to delete a critical directory like /tmp/.snap (usually after 10–30 days depending on the Ubuntu version). Once removed, the attacker recreates the directory with a malicious payload. When snap-confine initializes again, it mounts the attacker-controlled files with root privileges, enabling full code execution.

The vulnerability has been patched in updated snapd versions for Ubuntu 24.04, 25.10, and the development release 26.04. Researchers also identified a race condition in the uutils coreutils package, which could allow symlink manipulation during root-level cron jobs, potentially worsening privilege escalation scenarios.

Although exploitation requires specific timing and conditions, the impact is severe. Users and administrators are strongly advised to update their systems, ensure snapd is running the latest version, and monitor automatic cleanup processes.

Conclusion: this vulnerability highlights how normal system components can become dangerous when combined. Regular updates and system audits remain essential to securing both Linux servers and desktops.

Source: https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html