7.8 CVE-2026-3888

Enriched by CISA

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
https://nvd.nist.gov/vuln/detail/CVE-2026-3888

Categories

CWE-268 : Privilege Chaining
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Chaining of user rights. Gain certain rights via privilege chaining in alternate channel. Application is allowed to assign extra permissions to itself. "operator" user can overwrite usernames and passwords to gain admin privileges.

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/03/18/1

security@ubuntu.com

https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3...
https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt
https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888
https://ubuntu.com/security/CVE-2026-3888
https://ubuntu.com/security/notices/USN-8102-1

AFFECTED (from MITRE)

Vendor	Product	Versions
N/A	N/A	< 2.75.1 [affected]
Canonical	Ubuntu 16.04 LTS	2.61.4ubuntu0.16.04.1+esm2 < * [unaffected]
Canonical	Ubuntu 18.04 LTS	2.61.4ubuntu0.18.04.1+esm2 < * [unaffected]
Canonical	Ubuntu 20.04 LTS	2.67.1+20.04ubuntu1~esm1 < * [unaffected]
Canonical	Ubuntu 22.04 LTS	2.73+ubuntu22.04.1 < * [unaffected]
Canonical	Ubuntu 24.04 LTS	2.73+ubuntu24.04.1 < * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee