Ddos 
The Qualys Threat Research Unit has detailed a new Local Privilege Escalation (LPE) vulnerability, tracked as CVE-2026-3888, which affects default installations of Ubuntu Desktop 24.04 and later.
The vulnerability isn’t found in a single buggy line of code, but rather in the “unintended interaction between two privileged utilities” that are standard in the Ubuntu ecosystem.
- snap-confine: The setuid root binary responsible for building the secure “sandbox” that Snap applications live in.
- systemd-tmpfiles: The systemβs digital janitor, which “manages the lifecycle of volatile directories like /tmp, /run, and /var/tmp” by cleaning out old files on a timer.
The exploit hinges on a “specific time-based window”. In Ubuntu 24.04, an attacker must wait 30 days (or 10 days in later versions) for the system’s cleanup daemon to delete a critical directory, /tmp/.snap, which is required by snap-confine.
Once the janitor (systemd-tmpfiles) deletes that critical directory, the clock starts ticking for the attacker. According to the Qualys report:
“Once deleted, the attacker recreates the directory with malicious payloads. During the next sandbox initialization, snap-confine bind-mounts these files as root, allowing the execution of arbitrary code within the privileged context“.
Essentially, the attacker tricks a high-privilege process into “adopting” a malicious file and running it with full root authority. While the Attack Complexity is High due to this forced waiting period, the result is a “complete compromise of the host system”.
The report also highlighted a “Secondary Finding” involving a race condition in the uutils coreutils packageβa Rust-based rewrite of standard GNU utilities.
In a win for proactive security, this separate vulnerabilityβwhich could have allowed “arbitrary file deletion as root”βwas “mitigated prior to the public release of Ubuntu 25.10”. To stay safe, the Ubuntu team even “reverted to GNU coreutils” for the default rm command in that version.
If you are running a modern version of Ubuntu Desktop, you should check your snapd package versions immediately. The following versions are known to be vulnerable:
- Ubuntu 24.04 LTS: Prior to 2.73+ubuntu24.04.1.
- Ubuntu 25.10 LTS: Prior to 2.73+ubuntu25.10.1.
- Ubuntu 26.04 LTS (Dev): Prior to 2.74.1+ubuntu26.04.1.
Even if you are on a legacy system (16.04 through 22.04), Qualys recommends applying the patch as a precaution to mitigate risks in “non-default configurations”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
