CVE-2026-3888 : Élévation de privilèges Ubuntu via Snap — Patchez maintenant

A high-severity local privilege escalation (LPE) vulnerability — tracked as CVE-2026-3888 — has been discovered in default installations of Ubuntu Desktop 24.04 and later. Disclosed by the Qualys Threat Research Unit (TRU) on March 17, 2026, this flaw allows an unprivileged local attacker to gain full root access by exploiting an unintended interaction between two trusted system components: snap-confine and systemd-tmpfiles. With a CVSS v3.1 score of 7.8, this is a critical patching priority for every sysadmin running Ubuntu in production.

Unlike typical privilege escalation bugs that require immediately exploitable binaries, CVE-2026-3888 is uniquely dangerous because it exploits normal system cleanup behavior — making it subtle, hard to detect, and potentially already in progress on unpatched systems right now.

Understanding the Two Components at the Heart of This Flaw

snap-confine: The Sandbox Enforcer

snap-confine is the setuid-root binary responsible for building isolation environments before a snap application runs. It handles mount namespace isolation, cgroup enforcement, AppArmor policy loading, and seccomp filtering. Because it executes with elevated privileges to configure kernel-level sandboxes for regular users, it sits at one of the most sensitive trust boundaries in the Ubuntu ecosystem.

Whenever a snap application launches, snap-confine uses a temporary working directory (/tmp/.snap) to stage bind mounts and prepare the sandbox environment. This directory is critical to the execution chain — and that's exactly what attackers target.

systemd-tmpfiles: The Cleanup Daemon

systemd-tmpfiles manages volatile filesystem paths like /tmp, /run, and /var/tmp. It creates these directories at boot with the correct ownership and permissions, and then periodically purges stale files and directories based on age thresholds defined in /etc/tmpfiles.d/, /run/tmpfiles.d/, and /usr/lib/tmpfiles.d/.

On Ubuntu 24.04, the default cleanup threshold is 30 days. On Ubuntu 25.10 and later, it's reduced to 10 days. This is where the time-based attack window comes from.

How CVE-2026-3888 Works: The Timing-Based Attack Chain

The exploit chain is elegant in its simplicity and terrifying in its implications:

1. Wait for cleanup: The attacker waits (or triggers) systemd-tmpfiles to delete the /tmp/.snap directory, which happens automatically after 10–30 days of inactivity.
2. Race the recreation: Before snap-confine recreates the directory legitimately, the attacker creates /tmp/.snap with malicious content — crafted bind-mount targets, symlinks, or malicious executables.
3. Trigger snap execution: When any snap application is next launched, snap-confine runs as root, picks up the attacker-controlled /tmp/.snap directory, and bind-mounts its contents into the privileged sandbox context.
4. Achieve root code execution: The malicious payload executes inside the privileged context — full root compromise achieved.

The CVSS vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H confirms: local attack, high complexity (due to timing), low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.

Affected Versions and Patched Releases

The following snapd versions are vulnerable. Upgrade immediately to the patched releases:

Legacy systems (16.04–22.04 LTS) are not vulnerable in default configurations, but Qualys recommends applying patches as a precaution against non-default setups that may mimic newer behavior.

Immediate Remediation: Step-by-Step Patching Guide

Step 1: Check Your Current snapd Version

# Check installed snapd version
snap version

# Or via dpkg
dpkg -l snapd | grep snapd

Step 2: Apply the Security Update

# Update package lists and upgrade snapd
sudo apt update && sudo apt install --only-upgrade snapd

# Verify the patched version is installed
snap version
dpkg -l snapd

Step 3: Check if /tmp/.snap Exists and Is Clean

After patching, inspect whether the directory exists and whether its ownership is correct:

# Check /tmp/.snap ownership and permissions
ls -la /tmp/.snap 2>/dev/null || echo "/tmp/.snap does not exist (normal if no snap app ran recently)"

# If it exists, verify root owns it
stat /tmp/.snap

The directory should be owned by root:root with permissions 700 or 755. Any other ownership is a red flag.

Step 4: Audit Snap Applications in Use

# List all installed snaps
snap list

# Check snap services running as daemons
snap services

# Review snap connections (granted permissions)
snap connections --all | grep -v "^Plug"

Step 5: Harden tmpfiles Configuration (Defense-in-Depth)

As an additional layer of defense, you can explicitly protect the /tmp/.snap directory from automatic cleanup by adding a tmpfiles rule:

# Create a tmpfiles rule to exclude /tmp/.snap from cleanup
sudo tee /etc/tmpfiles.d/snap-protect.conf << 'EOF'
# Protect /tmp/.snap from systemd-tmpfiles cleanup
# Format: type path mode uid gid age argument
d /tmp/.snap 0700 root root - -
EOF

# Apply immediately
sudo systemd-tmpfiles --create /etc/tmpfiles.d/snap-protect.conf

# Verify
ls -la /tmp/.snap

Detection: How to Know If You've Been Compromised

Detecting an active exploit attempt requires correlating filesystem events with snap execution. Here are key indicators of compromise (IoCs) to look for:

Check for Suspicious /tmp/.snap Ownership

# Real-time monitor on /tmp for snap-related activity
inotifywait -m -r /tmp/.snap -e create,modify,delete,attrib 2>/dev/null &

# Check recent modifications to /tmp/.snap
find /tmp/.snap -newer /tmp -ls 2>/dev/null

Audit systemd-tmpfiles Logs

# Check systemd-tmpfiles execution logs
journalctl -u systemd-tmpfiles-clean.service --since "30 days ago" | grep -i "snap\|tmp"

# Check for unexpected root processes spawned by snap-confine
journalctl -g "snap-confine" --since "7 days ago"

Use auditd for Privilege Escalation Detection

# Add audit rules to monitor snap-confine execution
sudo auditctl -a always,exit -F path=/usr/lib/snapd/snap-confine -F perm=x -k snap_exec

# Watch for uid changes (privilege escalation events)
sudo auditctl -a always,exit -F arch=b64 -S setuid -F a1=0 -k priv_esc

# Review audit log
sudo ausearch -k snap_exec --start today
sudo ausearch -k priv_esc --start today

Fleet-Wide Patching: Automating Remediation at Scale

If you manage multiple Ubuntu servers or desktops, manual patching is not an option. Here's how to remediate at scale using common sysadmin tools.

Using Ansible

cat > patch_cve_2026_3888.yml << 'EOF'
---
- name: Patch CVE-2026-3888 - snapd LPE vulnerability
  hosts: ubuntu_servers
  become: yes
  tasks:
    - name: Update apt cache
      apt:
        update_cache: yes
        cache_valid_time: 3600

    - name: Upgrade snapd to patched version
      apt:
        name: snapd
        state: latest
        only_upgrade: yes

    - name: Verify snapd version
      command: snap version
      register: snap_ver
      changed_when: false

    - name: Display snapd version
      debug:
        msg: "snapd version: {{ snap_ver.stdout_lines[1] }}"

    - name: Create tmpfiles protection rule
      copy:
        dest: /etc/tmpfiles.d/snap-protect.conf
        content: |
          d /tmp/.snap 0700 root root - -
        owner: root
        group: root
        mode: '0644'

    - name: Apply tmpfiles rule
      command: systemd-tmpfiles --create /etc/tmpfiles.d/snap-protect.conf
EOF

# Run the playbook
ansible-playbook -i inventory.ini patch_cve_2026_3888.yml --check  # dry-run first
ansible-playbook -i inventory.ini patch_cve_2026_3888.yml

Quick SSH One-Liner for Small Fleets

# Patch all hosts in a list
for host in server1 server2 server3 workstation1; do
  echo "=== Patching $host ==="
  ssh -o ConnectTimeout=5 "$host" \
    "sudo apt update -qq && sudo apt install --only-upgrade snapd -y && snap version | head -2"
done

Bonus: The uutils Coreutils Race Condition (Ubuntu 25.10)

During their research, Qualys TRU also uncovered a related race condition in the uutils coreutils package — a Rust rewrite of standard GNU utilities that Ubuntu 25.10 was planning to ship. Specifically, the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (via /etc/cron.daily/apport).

Successful exploitation could lead to arbitrary file deletion as root, or further privilege escalation by targeting snap sandbox directories. Canonical responded proactively: Ubuntu 25.10 was released with GNU coreutils instead of uutils as the default rm, and upstream fixes have since been applied to the uutils repository.

If you're running any custom installations of uutils coreutils, verify you're on a patched version:

# Check which rm is in use
which rm && rm --version

# If using uutils rm, check for updates
cargo install coreutils --force  # update if installed via cargo

Key Takeaways and Next Steps

CVE-2026-3888 is a textbook example of how component interactions — not individual vulnerabilities — can create unexpected attack surfaces. Both snap-confine and systemd-tmpfiles were doing exactly what they were designed to do; it's their unintended interaction that creates the exploit window.

• ✅ Patch immediately: Run sudo apt update && sudo apt install --only-upgrade snapd on all Ubuntu 24.04+ systems
• ✅ Add defense-in-depth: Deploy the tmpfiles protection rule to explicitly protect /tmp/.snap
• ✅ Enable auditd: Monitor snap-confine execution and privilege escalation syscalls
• ✅ Audit your snap usage: Remove snaps you don't actively use — fewer snaps means a smaller attack surface
• ✅ Automate fleet patching: Use Ansible or a similar tool to ensure no system is missed

For the full technical advisory including PoC details, refer to the official Qualys disclosure: https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt

Ubuntu's official security tracker for this CVE is available at: https://ubuntu.com/security/CVE-2026-3888