Week 12 – 10-30 Days to Root

16 – 22 Mar 2026

This week’s CVE of the Week is about a Local Privilege Escalation (LPE) vulnerability in default installations of Ubuntu Desktop 24.04 and later versions.

CVE-2026-3888 (CVSS score: 7.8), identified by the Qualys Threat Research Unit, could allow an unprivileged local attacker to escalate privileges to the root level.

The vulnerability stems from an unintended interaction between two standard system components:

• snap-confine: Manages execution environments for snap applications.
• systemd-tmpfiles: Automatically cleans up temporary files and directories older than a defined threshold.

The attack complexity is elevated due to an inherent time‑delay mechanism in the exploit chain, which requires a specific 10–30 day window to succeed, yet still results in a complete compromise of the host system.

The attack unfolds in the following stages:

1. The attacker must wait for the system’s cleanup daemon to delete the /tmp/.snap directory, required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions.
2. Once the directory is deleted, the attacker recreates the directory with malicious payloads.
3. During the next sandbox initialization, snap-confine bind-mounts these files as root, allowing the execution of arbitrary code within the privileged context.

The following patches are recommended to remediate the vulnerability:

• Ubuntu 24.04 LTS – snapd versions prior to 2.73 + ubuntu 24.04.1
• Ubuntu 25.10 LTS – snapd versions prior to 2.73 + ubuntu 25.10.1
• Ubuntu 26.04 LTS (Dev) – snapd versions prior to 2.74.1 + ubuntu 26.04.1
• Upstream snapd – versions prior to 2.75

Legacy systems running Ubuntu 16.04 – 22.04 LTS are not vulnerable in default configurations. However, it’s recommended applying the patch as a precaution for non-default setups that may mirror newer release behavior.

For more details, please visit:

https://ubuntu.com/security/CVE-2026-3888

https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

https://cybersecuritynews.com/ubuntu-desktop-systems-vulnerability/

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.