CVE-2026-3888 (CVSS 7.8) lets an unprivileged local user gain root on Ubuntu Desktop 24.04 and later. The Qualys Threat Research Unit published the advisory on March 18, 2026. The vulnerability exploits a timing interaction between two standard system components that ship on every Ubuntu Desktop installation.
Two correct components, one broken combination
snap-confine is the setuid-root binary that builds sandboxes for snap applications. It handles mount namespace isolation, cgroup enforcement, AppArmor policy loading, and seccomp filtering. Every time a user launches Firefox, Chromium, Thunderbird, or VS Code on Ubuntu Desktop, snap-confine runs with root privileges to construct the confinement environment.
systemd-tmpfiles is the cleanup daemon that removes stale temporary files. It deletes directories under /tmp on a timer. On Ubuntu 24.04 LTS, the interval is 30 days. On later releases, it is 10 days.
systemd-tmpfiles periodically removes /tmp/.snap, a directory that snap-confine expects to find during sandbox initialization. Once systemd-tmpfiles deletes it, an attacker recreates /tmp/.snap with malicious payloads. The next time snap-confine initializes a sandbox, it bind-mounts those files as root. Arbitrary code runs in the privileged context.
The CVSS vector reflects local access with high attack complexity. The timing window explains the "high complexity" rating. Low privileges are required, no user interaction is needed, and the scope is "changed," meaning a successful exploit breaks out of snap's confinement model entirely.
snap-confine's track record
Qualys TRU has targeted snap-confine before. CVE-2021-44731 ("Oh Snap! More Lemmings," February 2022) was a concurrency bug that gave local users root through a crafted mount namespace. CVE-2022-3328 (November 2022) was another TOCTOU bug that, chained with two Multipathd vulnerabilities (CVE-2022-41974 and CVE-2022-41973), produced a full root chain.
CVE-2026-3888 differs in mechanism. It is not a concurrency bug or memory corruption but a scheduling-based gap between two legitimate services. Neither code review nor fuzzing would catch it easily.
Two Qualys TRU disclosures in one week, both targeting default Ubuntu infrastructure. CVE-2026-3888 hits snapd. The CrackArmor findings published five days earlier hit AppArmor. Ubuntu's core security stack is under sustained, systematic examination.
Secondary finding: Rust coreutils TOCTOU bug
Qualys TRU found a separate issue during a pre-release review of Ubuntu 25.10. The uutils coreutils package (a Rust rewrite of standard GNU utilities) contained a race in the rm command. An unprivileged local user could swap directory entries for symbolic links during root-owned cron runs. Exploiting /etc/cron.daily/apport led to arbitrary file deletion as root or further privilege escalation through snap sandbox directories.
Ubuntu reverted the default rm to GNU coreutils before 25.10 shipped publicly.
Upstream fixes have since been applied to the uutils repository.
Rust eliminates memory corruption bugs. It does not eliminate logic bugs, TOCTOU races, or filesystem interaction flaws. The uutils rm race condition is proof that memory safety is necessary but not sufficient for privileged system-level code.
Patches and what to do
Canonical released patched snapd packages on March 17, 2026. Ubuntu 24.04 LTS needs snapd 2.73+ubuntu24.04.2. Ubuntu 25.10 needs snapd 2.73+ubuntu25.10.1. Ubuntu 26.04 LTS (dev) needs snapd 2.74.1+ubuntu26.04.1. Upstream snapd is fixed in 2.75. Legacy systems (Ubuntu 16.04 through 22.04 LTS) are not vulnerable out of the box, but Qualys recommends patching them for custom setups.
The Ubuntu Community Hub published a dedicated security notice confirming the fix. Qualys released QID 386810 for vulnerability detection and published the full technical advisory.
Run sudo snap refresh snapd or apply the package update via apt. The 10-to-30-day timing window does not reduce risk on long-lived desktop systems, developer workstations, or shared servers that stay powered on for weeks. Monitor /tmp/.snap for unexpected recreation after systemd-tmpfiles cleanup cycles. Any local user account is sufficient for exploitation.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
