Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snaps private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Weakness
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Snapd | Ubuntu | devel | * |
| Snapd | Ubuntu | esm-infra/bionic | * |
| Snapd | Ubuntu | esm-infra/focal | * |
| Snapd | Ubuntu | esm-infra/xenial | * |
| Snapd | Ubuntu | jammy | * |
| Snapd | Ubuntu | noble | * |
| Snapd | Ubuntu | questing | * |
| Snapd | Ubuntu | snap | * |
| Snapd | Ubuntu | upstream | * |
Potential Mitigations
References
- https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
- https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt
- https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888
- https://ubuntu.com/security/CVE-2026-3888
- https://ubuntu.com/security/notices/USN-8102-1