Description
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Canonical / Ubuntu 16.04 LTS2.61.4ubuntu0.16.04.1+esm2 – *
- Canonical / Ubuntu 18.04 LTS2.61.4ubuntu0.18.04.1+esm2 – *
- Canonical / Ubuntu 20.04 LTS2.67.1+20.04ubuntu1~esm1 – *
- Canonical / Ubuntu 22.04 LTS2.73+ubuntu22.04.1 – *
- Canonical / Ubuntu 24.04 LTS2.73+ubuntu24.04.2 – *
References
- VENDOR_ADVISORYhttps://ubuntu.com/security/CVE-2026-3888
- VENDOR_ADVISORYhttps://ubuntu.com/security/notices/USN-8102-1
- VENDOR_ADVISORYhttps://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888
- MISChttps://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
- MISChttps://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt