Ubuntu vulnerability exposes enterprises to root escalation, complete system compromise

Just a week after revealing critical vulnerabilities in Linux’s AppArmor security layer, Qualys researchers are warning of a flaw affecting Ubuntu that can also allow an unprivileged user to gain full root access.

The high‑severity Local Privilege Escalation vulnerability, tracked as CVE‑2026‑3888, affects default installations of Ubuntu Desktop 24.04 and later.

The flaw allows an unprivileged local attacker to escalate privileges to full root access by exploiting an unexpected interaction between two trusted system components: snap‑confine.

This manages execution environments for snap applications and systemd-tmpfiles, which automatically cleans up temporary files and directories older than a defined threshold.

While the exploit requires a specific time‑based window that varies between 10 and 30 days depending on the version of Ubuntu, a successful attack could result in complete system compromise, researchers warned.

How the Ubuntu vulnerability works

The flaw identified by Qualys works by abusing the cleanup behavior of systemd‑tmpfiles.

Once a critical directory required by snap-confine, tmp/.snap, is automatically deleted by the system's cleanup daemon, an attacker can recreate it with malicious content.

Then, during the next sandbox initialization, snap‑confine bind‑mounts the attacker‑controlled files as root, enabling arbitrary code execution with full privileges.

"Think of it this way: the system’s housekeeping service unknowingly clears a secure room, and an attacker slips in to rebuild it with their own materials — so when the security team returns, they lock in the attacker’s setup and hand over full access," researchers said.

Patch issued, but be wary

CVE-2026-3888 carries a CVSS v3.1 score of 7.8 (High), and organizations are advised to apply patches immediately.

The flaw has already been patched in Ubuntu 24.04 LTS onward, with other versions including:

• snapd versions prior to 2.73+ubuntu24.04.1
• Ubuntu 25.10 LTS - snapd versions prior to 2.73+ubuntu25.10.1
• Ubuntu 26.04 LTS (Dev) - snapd versions prior to 2.74.1+ubuntu26.04.1
• upstream snapd - versions prior to 2.75

While older Ubuntu LTS releases from 16.04 through 22.04 aren't vulnerable in default configurations, Qualys still recommends applying the patch as a precaution in cases where non-default setups might resemble the behavior of newer releases.

Separate Ubuntu desktop flaw identified

Almost as an aside, Qualys said it had also discovered a separate vulnerability through a proactive security effort prior to the release of Ubuntu Desktop 25.10.

A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions.

Successful exploitation could potentially lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.

"The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10," said Saeed Abbasi, senior manager of Qualys's Threat Research Unit.

"The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.