Skip to main content

Ubuntu CVE-2026-3888

| EUVDEUVD-2026-12570 HIGH
Privilege Chaining (CWE-268)
2026-03-17 canonical
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Ubuntu
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12570
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 14:02 nvd
HIGH 7.8

DescriptionCVE.org

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

AnalysisAI

Local privilege escalation in snapd on multiple Ubuntu versions allows authenticated local attackers to obtain root access by exploiting a race condition between snap's temporary directory creation and systemd-tmpfiles cleanup operations. An attacker with local access can manipulate the /tmp directory to escalate privileges when snapd attempts to recreate its private snap directories. This vulnerability affects Ubuntu 16.04 LTS through 24.04 LTS with no patch currently available.

Technical ContextAI

The vulnerability exists in snapd, Ubuntu's universal package management system for snap packages, and is classified as CWE-268 (Privilege Chaining). Based on the CPE data, this affects Ubuntu LTS releases 16.04, 18.04, 20.04, 22.04, and 24.04. The issue arises from improper handling of snap's private temporary directory when systemd-tmpfiles is configured to automatically clean temporary files - an attacker can exploit the window between directory deletion and recreation to escalate privileges. This represents a classic time-of-check to time-of-use (TOCTOU) condition in privilege-sensitive directory operations.

RemediationAI

Apply the security updates provided in Ubuntu Security Notice USN-8102-1 by upgrading snapd to the patched versions: 2.61.4ubuntu0.16.04.1+esm2 for Ubuntu 16.04, 2.61.4ubuntu0.18.04.1+esm2 for Ubuntu 18.04, 2.67.1+20.04ubuntu1~esm1 for Ubuntu 20.04, 2.73+ubuntu22.04.1 for Ubuntu 22.04, or 2.73+ubuntu24.04.1 for Ubuntu 24.04. Update using standard package management commands: sudo apt update && sudo apt upgrade snapd. As a temporary mitigation until patching is complete, consider disabling systemd-tmpfiles automatic cleanup of snap's private temporary directories or implementing strict monitoring of privilege escalation attempts through audit logs, though patching remains the recommended solution.

Vendor StatusVendor

Ubuntu

Priority: High
snapd
Release Status Version
upstream pending 2.75.1
bionic released 2.61.4ubuntu0.18.04.1+esm2
focal released 2.67.1+20.04ubuntu1~esm1
jammy released 2.73+ubuntu22.04.1
noble released 2.73+ubuntu24.04.1
questing released 2.73+ubuntu25.10.1
xenial released 2.61.4ubuntu0.16.04.1+esm2

Debian

Bug #1131120
snapd
Release Status Fixed Version Urgency
bullseye (security), bullseye vulnerable 2.49-1+deb11u2 -
bookworm vulnerable 2.57.6-1 -
trixie vulnerable 2.68.3-3 -
forky vulnerable 2.71-3 -
sid vulnerable 2.74.1-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-3888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy