Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
AnalysisAI
Local privilege escalation in snapd on multiple Ubuntu versions allows authenticated local attackers to obtain root access by exploiting a race condition between snap's temporary directory creation and systemd-tmpfiles cleanup operations. An attacker with local access can manipulate the /tmp directory to escalate privileges when snapd attempts to recreate its private snap directories. This vulnerability affects Ubuntu 16.04 LTS through 24.04 LTS with no patch currently available.
Technical ContextAI
The vulnerability exists in snapd, Ubuntu's universal package management system for snap packages, and is classified as CWE-268 (Privilege Chaining). Based on the CPE data, this affects Ubuntu LTS releases 16.04, 18.04, 20.04, 22.04, and 24.04. The issue arises from improper handling of snap's private temporary directory when systemd-tmpfiles is configured to automatically clean temporary files - an attacker can exploit the window between directory deletion and recreation to escalate privileges. This represents a classic time-of-check to time-of-use (TOCTOU) condition in privilege-sensitive directory operations.
RemediationAI
Apply the security updates provided in Ubuntu Security Notice USN-8102-1 by upgrading snapd to the patched versions: 2.61.4ubuntu0.16.04.1+esm2 for Ubuntu 16.04, 2.61.4ubuntu0.18.04.1+esm2 for Ubuntu 18.04, 2.67.1+20.04ubuntu1~esm1 for Ubuntu 20.04, 2.73+ubuntu22.04.1 for Ubuntu 22.04, or 2.73+ubuntu24.04.1 for Ubuntu 24.04. Update using standard package management commands: sudo apt update && sudo apt upgrade snapd. As a temporary mitigation until patching is complete, consider disabling systemd-tmpfiles automatic cleanup of snap's private temporary directories or implementing strict monitoring of privilege escalation attempts through audit logs, though patching remains the recommended solution.
Same weakness CWE-268 – Privilege Chaining
View allSame technique Privilege Escalation
View allVendor StatusVendor
Ubuntu
Priority: High| Release | Status | Version |
|---|---|---|
| upstream | pending | 2.75.1 |
| bionic | released | 2.61.4ubuntu0.18.04.1+esm2 |
| focal | released | 2.67.1+20.04ubuntu1~esm1 |
| jammy | released | 2.73+ubuntu22.04.1 |
| noble | released | 2.73+ubuntu24.04.1 |
| questing | released | 2.73+ubuntu25.10.1 |
| xenial | released | 2.61.4ubuntu0.16.04.1+esm2 |
Debian
Bug #1131120| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 2.49-1+deb11u2 | - |
| bookworm | vulnerable | 2.57.6-1 | - |
| trixie | vulnerable | 2.68.3-3 | - |
| forky | vulnerable | 2.71-3 | - |
| sid | vulnerable | 2.74.1-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12570