Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit

Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit Ravie LakshmananMar 18, 2026Linux / Endpoint Security A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system. "This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles," the Qualys Threat Research Unit (TRU) said. "While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system."  The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older than a defined threshold. The vulnerability has been patched in the following versions - Ubuntu 24.04 LTS - snapd versions prior to 2.73+ubuntu24.04.1 Ubuntu 25.10 LTS - snapd versions prior to 2.73+ubuntu25.10.1 Ubuntu 26.04 LTS (Dev) - snapd versions prior to 2.74.1+ubuntu26.04.1 Upstream snapd - versions prior to 2.75 The attack requires low privileges and no user interaction, although the attack complexity is high due to the time-delay mechanism in the exploit chain. "In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp," Qualys said. "An attacker can exploit this by manipulating the timing of these cleanup cycles." The attack plays out in the following manner - The attacker must wait for the system's cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions. Once deleted, the attacker recreates the directory with malicious payloads. During the next sandbox initialization, snap-confine bind mounts these files as root, allowing the execution of arbitrary code within the privileged context. In addition, Qualys said it discovered a race condition flaw in the uutils coreutils package that allows an unprivileged local attacker to replace directory entries with symbolic links (aka symlinks) during root-owned cron executions. "Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories," the cybersecurity company said. "The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, endpoint security, linux, Open Source, privilege escalation, system security, Ubuntu, Vulnerability Trending News Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps