Qualys discovered a vulnerability in snapd which allows local attackers to escalate privileges. We assigned CVE-2026-3888 for it. This vulnerability impacts default installations of Ubuntu 24.04 LTS and Ubuntu 25.10, but we also applied the same hardening to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS as non-default configurations could be vulnerable to it. The hardening will also be applied to upstream snapd version 2.75.1.

Affected releases

How to check if you are impacted

On your system, run the following command and compare the listed version to the table above.

dpkg -l snapd

How to address

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible, the affected component can be targeted:

sudo apt update && sudo apt install --only-upgrade snapd

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available.

Mitigation

The fix for this vulnerability is a configuration change that could also be applied manually, but as a reminder, the strongest protection is to apply the security updates. If security updates cannot be applied, you should only apply the following steps as a last resort. Please note that modifying configuration files may stop future unattended upgrades from completing successfully, until these are reverted to the original content.

To manually apply the fix.

Replace the entire contents of /usr/lib/tmpfiles.d/snapd.conf with the following:

D! /tmp/snap-private-tmp 0700 root root -

# Allow removing content in the private tmp folders without affecting the
# architectural structure of the folders themselves.
X /tmp/snap-private-tmp
X /tmp/snap-private-tmp/*/tmp
x /tmp/snap-private-tmp/*/tmp/.snap

After it, run:

sudo systemctl restart systemd-tmpfiles-clean.service

How the exploits work

Qualys discovered that this unusual Local Privilege Escalation (LPE) stems from the interaction of two otherwise secure programs:

1. snap-confine: used internally by snapd to construct the execution environment for snap applications.
2. systemd-tmpfiles: used to create, delete and clean up files and directories in /tmp.

To use this LPE to obtain a fully privileged root shell, an unprivileged local attacker must wait for systemd-tmpfiles to delete the /tmp/snap-private-tmp//tmp/.snap directory for any already installed snap. This occurs 10 days after the last access or modification in Ubuntu 25.10, or 30 days in Ubuntu 24.04.

Acknowledgements

We would like to thank Qualys for their excellent reporting.

References

https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

https://ubuntu.com/security/CVE-2026-3888

https://ubuntu.com/security/notices/USN-8102-1

Preparing to unpack …/snapd_2.73+ubuntu24.04.1_amd64.deb …
Unpacking snapd (2.73+ubuntu24.04.1) over (2.73+ubuntu24.04) …
Setting up snapd (2.73+ubuntu24.04.1) …
/usr/lib/tmpfiles.d/snapd.conf:1: Unknown command type ‘!’.
snapd.failure.service is a disabled or a static unit not running, not starting it.
snapd.gpio-chardev-setup.target is a disabled or a static unit not running, not starting it.
snapd.snap-repair.service is a disabled or a static unit not running, not starting it.

I got the following output when upgrading just now for 24.04.4 Is the bolded line expected?

We also encountered the above problem after upgrading with apt.

We are running 2.73+ubuntu24.04.1-arm64

thanks @gpmitch, I’m looking into it, it seems to be a misfortunate typo

25.10 looks fine
22.04 looks fine
20.04 looks fine
18.04 looks fine
16.04 looks fine

This seems a noble (24.04) only issue

! /tmp/snap-private-tmp 0700 root root -

# Allow removing content in the private tmp folders without affecting the
# architectural structure of the folders themselves.
X /tmp/snap-private-tmp
X /tmp/snap-private-tmp/*/tmp
x /tmp/snap-private-tmp/*/tmp/.snap

This is what my /usr/lib/tmpfiles.d/snapd.conf contains now. I guess there is supposed to be a “D” at the beginning of the first line?

exactly, I’m fixing it now and a new version will be out, it might take a while, but in the meantime adding the D should fix it.

Ok, I’ll add it. thanks.

I’ve just published a new version to noble fixing the regression introduced.
It will take a few hours until it hits all the mirrors.
Please let us know if you find any other issues.
A USN will be published in a couple of hours to mention the regression.
Apologies for the inconvenience and thanks for reporting it to us!

For Noble, you list 2.73+ubuntu24.04.1 in the Affected Versions, but that seems to be the fixed version no? the one missing the D i mean.

I’ve just updated the table for noble fixed verstion to 2.73+ubuntu24.04.2
We will be fixing all other comms today too.

No i mean the title of that table is “Affected releases”. Either that table’s name should be changed to “Fixed Releases”, or it should list the last vulnerable release, no?

“Affected releases” refers to the first column, which is indeed a list of the releases of Ubuntu that are affected by the bug.

Historically, the Ubuntu Security Team publishes the fixed version (not the perhaps lengthy list of years of affected versions) so folks can clearly confirm that they are running a fixed version.

Since the default settings on Ubuntu systems automatically update security patches without any user or admin involvement, security-conscious admins need merely confirm that the automatic update worked; for that they need to know the fixed version string.

ah god my apologies, it literally says fixed version in the table