← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-3888 · CWE-268 · Disclosed 2026-03-17

Local privilege escalation in snapd on Linux

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a burglar who already got inside and then waits for housekeeping to prop open the vault

CVE-2026-3888 is a local privilege escalation in Ubuntu's snapd, specifically the interaction between snap-confine and systemd-tmpfiles. The published CVE record says Ubuntu 16.04/18.04/20.04/22.04/24.04 LTS are affected, but Canonical's own March 17, 2026 advisory is more operationally useful: default installations of Ubuntu 24.04 LTS and Ubuntu 25.10 are the real exposure center, while older LTS releases received hardening because some non-default configurations could also be vulnerable. Fixed package lines include 2.73+ubuntu24.04.1 for noble and 2.73+ubuntu25.10.1 for questing, with backports for older LTS streams and upstream hardening planned in snapd 2.75.1.

The vendor's HIGH 7.8 score is technically defensible because successful exploitation ends in root, but it overstates enterprise urgency if you are triaging patch queues across 10,000 hosts. This is not initial access and not remote; the attacker already needs a local foothold with code execution, the vulnerable population is skewed toward Ubuntu desktop/dev endpoints rather than broad server fleets, and the exploit chain adds unusual friction by depending on systemd-tmpfiles cleanup timing and controlled re-creation of snap sandbox state. That combination pushes this down to a MEDIUM operational priority, not because the impact is small, but because the reachable population and attacker prerequisites are.

"Real root impact, but it is a delayed post-compromise LPE with narrow default exposure."
02 · The Attack Path

5 steps from start to impact.

STEP 01

Land a local foothold

The attacker must already have a local account or code execution as a non-root user on the target Linux host. This is the decisive gating factor: CVE-2026-3888 is a post-initial-access privilege escalation, not a way onto the box. The relevant components are snapd/snap-confine, and the public technical reference is the Qualys advisory.
Conditions required:
  • Ubuntu host with snapd installed
  • Attacker can execute code locally as an unprivileged user
  • Target uses an affected snapd package line
Where this breaks in practice:
  • Requires prior compromise, valid local credentials, or insider access
  • Many enterprise Ubuntu servers do not expose broad interactive user access
  • MFA, EDR, PAM controls, and workload isolation should already pressure this phase
Detection/coverage: VM scanners will identify outdated snapd packages well; runtime detection is weaker because this step looks like ordinary user activity until the exploit chain begins.
STEP 02

Wait for systemd-tmpfiles to create the opening

Per the Qualys analysis, the attacker keeps a snap sandbox alive and waits for systemd-tmpfiles to remove the stale /tmp/.snap directory while leaving the surrounding writable /tmp in place. Qualys states this window is roughly 30 days on Ubuntu 24.04 and 10 days on Ubuntu versions later than 24.04. The weaponized components here are systemd-tmpfiles and the snap sandbox path under /tmp/snap-private-tmp/*/tmp/.snap.
Conditions required:
  • systemd-tmpfiles cleanup active for /tmp
  • Attacker can maintain access long enough for cleanup to occur
  • A snap sandbox path exists and can be revisited
Where this breaks in practice:
  • The delay is operationally awkward for smash-and-grab intrusions
  • Reboots, host rebuilds, user logoff churn, or workspace resets can break the setup
  • Short-lived cloud nodes and immutable workstation rebuild policies sharply reduce success rates
Detection/coverage: This timing dependency is not something most vuln scanners measure; endpoint telemetry can sometimes spot suspicious persistence around /tmp/.snap, but preventive discovery is limited.
STEP 03

Recreate attacker-controlled .snap content

Once the stale root-created .snap directory is deleted, the attacker recreates it under the world-writable sandbox tmp path and stages controlled library content. Qualys describes replacing the expected library tree so snap-confine later bind-mounts attacker-chosen files as root during sandbox setup. The public helper discussed in the advisory is the Qualys firefox_24.04.c proof-of-concept workflow, not a polished wormable exploit.
Conditions required:
  • The privileged .snap directory was removed first
  • Attacker can write to the surviving sandbox tmp directory
  • A suitable snap/base combination exists to rebuild the sandbox path
Where this breaks in practice:
  • Path handling is finicky and release-specific
  • This is not one generic command that lands everywhere
  • AppArmor and snap profile differences can complicate lab-to-production reliability
Detection/coverage: Elastic has a prebuilt analytic for non-root creation of files under /tmp/.snap and /tmp/snap-private-tmp/*/tmp/.snap, which is the most useful behavioral detector published so far.
STEP 04

Race snap-confine during sandbox initialization

The exploit then abuses snap-confine while it is rebuilding the sandbox and creating mimic mountpoints. Qualys describes single-stepping snap-confine debug output to win the race and swap in attacker-controlled directories before bind mounts complete, giving control of shared libraries and the dynamic loader in the sandbox. This is where the CVSS AC:H rating is real, not paperwork.
Conditions required:
  • snap-confine invocation can be triggered
  • Attacker wins the timing-sensitive replacement window
  • The target snap layout exposes the relevant mimic path
Where this breaks in practice:
  • Race timing is brittle under load and across package revisions
  • Exploit reliability can drop on noisy VDI or oversubscribed hosts
  • Modern EDR may flag suspicious repeated snap-confine launches or odd mount activity
Detection/coverage: Behavioral telemetry is the best bet: repeated snap-confine execution, recreation of .snap paths, and root-child process anomalies. Signature-only controls will miss this.
STEP 05

Break out from sandboxed root to host root

Root first appears inside the snap sandbox, then the attacker writes a SUID-root shell in an allowed path such as /var/snap/<snap>/common/ and executes it outside the sandbox to get host-level euid=0. That means the final outcome is serious: full root on the host, not just a confined shell. Qualys demonstrates this with a BusyBox/bash handoff.
Conditions required:
  • Sandboxed root code execution obtained
  • Writable path exists for SUID shell placement
  • Attacker can invoke the dropped binary from the host context
Where this breaks in practice:
  • Some hardening baselines detect or block new SUID files
  • File integrity monitoring and EDR can catch the breakout artifact
  • Operational success still depends on earlier race and timing stages
Detection/coverage: Good EDR should alert on unexpected SUID creation, execution of binaries from /var/snap/*/common/, or a root process lineage descending from a low-privilege user.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in primary sources reviewed; CISA KEV does not list CVE-2026-3888.
Proof-of-concept availabilityTechnical exploit guidance is public via the Qualys blog and full advisory, including a firefox_24.04 helper workflow; I did not find a widely adopted GitHub spray-and-pray exploit kit in primary results.
EPSS0.00008 per the user-supplied intel, which is extremely low and consistent with a narrow, local-only post-compromise path.
KEV statusNot KEV-listed as of the CISA catalog page reviewed; no federal due date is attached.
CVSS vectorCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H — local, authenticated/low-privileged attacker, high complexity, full compromise if it lands.
Affected versionsCanonical says default exposure is Ubuntu 24.04 LTS and Ubuntu 25.10; patches were also shipped to 22.04/20.04/18.04/16.04 because some non-default configurations may be vulnerable.
Fixed versions2.73+ubuntu25.10.1 (questing), 2.73+ubuntu24.04.1 (noble), 2.73+ubuntu22.04.1 (jammy), 2.67.1+20.04ubuntu1~esm1, 2.61.4ubuntu0.18.04.1+esm2, 2.61.4ubuntu0.16.04.1+esm2; Canonical also said the hardening goes upstream in snapd 2.75.1.
Scanning / exposure realityThis is not internet-scannable in the usual Shodan/Censys sense because exploitation requires local execution on the host. Exposure is therefore driven by fleet composition and local user access, not open ports.
Disclosure date2026-03-17 in Ubuntu/NVD records; the oss-security follow-up referenced 2026-03-18.
ReporterQualys Threat Research Unit discovered and published the issue; Canonical assigned the CVE and shipped the backports.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The single biggest downward pressure is that the attacker already needs local code execution and usually sustained dwell time before the bug matters. Even though the end state is host root, this is a narrow post-compromise amplifier rather than a fleet-wide internet fire.

HIGH Technical impact is full root on successful exploitation
HIGH Default affected population is materially narrower than the CVE headline suggests
MEDIUM Exploit reliability across varied enterprise Linux desktop images

Why this verdict

  • Downgrade for attacker position: exploitation starts at *local unprivileged user*, which implies the attacker is already on the endpoint. That is a major real-world severity reduction versus remote or pre-auth bugs.
  • Downgrade for exposure population: Canonical's own March 17, 2026 note says default impact centers on Ubuntu 24.04 LTS and Ubuntu 25.10, not every Ubuntu server in the estate. In many enterprises, that means developer workstations and desktops, not the full Linux fleet.
  • Downgrade for exploit friction: the chain depends on systemd-tmpfiles cleanup timing, recreation of a deleted sandbox directory, and a race during snap-confine setup. This is exactly the kind of high-complexity, long-dwell exploit path that breaks outside clean lab conditions.
  • Keep it above LOW for blast radius: if it works, the attacker reaches host root, not a sandbox-limited nuisance. On engineering laptops and admin workstations, that can mean credential theft, EDR tampering, and lateral movement.

Why not higher?

This is not unauthenticated, not remote, not wormable, and not broadly exposed to the internet. The exploit path also asks for unusual patience and timing, which sharply narrows who can operationalize it at scale. No KEV listing and extremely low EPSS reinforce that this is not behaving like an urgent internet-burn event.

Why not lower?

A successful exploit produces real root compromise, and snapd is common enough on Ubuntu endpoints that you cannot hand-wave it away as theoretical. If you run Ubuntu developer desktops or shared jump hosts with local users, this is still a meaningful post-compromise privilege-escalation risk.

05 · Compensating Control

What to do — in priority order.

  1. Restrict local shell access — Reduce who can reach the first prerequisite at all: review SSH, VDI, bastion, student/lab, and contractor access to Ubuntu hosts running snapd. For a MEDIUM verdict there is no mitigation SLA, but this is still the best immediate risk reducer while you work through the 365-day remediation window.
  2. Monitor snap temporary paths — Alert on non-root creation or modification of /tmp/.snap and /tmp/snap-private-tmp/*/tmp/.snap, plus suspicious snap-confine execution bursts. Use the Elastic analytic or equivalent EDR rule logic; deploy as soon as feasible because detection is more realistic than blanket prevention here.
  3. Hunt for unexpected SUID artifacts — Scan for new or recently changed SUID-root binaries, especially under /var/snap/*/common/, and correlate them with low-privilege user activity. This catches the breakout stage that turns sandboxed root into host root.
  4. Prioritize desktop and dev images — If patch capacity is limited, start with Ubuntu 24.04 LTS desktops, VDI pools, shared engineering workstations, and any host where multiple users can execute code locally. That matches the real exposure center better than patching every headless Ubuntu server first.
What doesn't work
  • A network firewall does not meaningfully help because exploitation is local, not inbound over a service port.
  • A WAF or reverse proxy is irrelevant; there is no web transaction to filter.
  • Assuming AppArmor alone saves you is wrong: the published chain uses sandboxed root first and then pivots to a host-level SUID artifact.
  • Pure internet exposure dashboards like Shodan/Censys will underrepresent this risk because there is no exposed remote service to fingerprint.
06 · Verification

Crowdsourced verification payload.

Run this on the target Ubuntu host as any local user; sudo is not required because it only reads package metadata and OS release info. Save as check-cve-2026-3888.sh and run bash check-cve-2026-3888.sh — it prints VULNERABLE, PATCHED, or UNKNOWN and exits with 0, 1, or 2 respectively.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2026-3888.sh
# Detect likely exposure to CVE-2026-3888 on Ubuntu systems by comparing
# installed snapd version to Canonical fixed package versions from USN-8102-1.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

print_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

print_vuln() {
  echo "VULNERABLE: $1"
  exit 1
}

print_patched() {
  echo "PATCHED: $1"
  exit 0
}

if ! command -v dpkg-query >/dev/null 2>&1; then
  print_unknown "dpkg-query not found; this script supports Debian/Ubuntu package checks only"
fi

if [ ! -r /etc/os-release ]; then
  print_unknown "/etc/os-release not readable"
fi

# shellcheck disable=SC1091
. /etc/os-release

if [ "${ID:-}" != "ubuntu" ]; then
  print_unknown "OS is '${ID:-unknown}', not Ubuntu"
fi

if ! dpkg-query -W -f='${Status} ${Version}\n' snapd >/tmp/check-cve-2026-3888.$$ 2>/dev/null; then
  print_unknown "snapd package is not installed"
fi

pkg_line=$(cat /tmp/check-cve-2026-3888.$$)
rm -f /tmp/check-cve-2026-3888.$$

case "$pkg_line" in
  "install ok installed "*) : ;;
  *) print_unknown "snapd package is not in installed state: $pkg_line" ;;
esac

installed_version=$(printf '%s' "$pkg_line" | awk '{print $4}')
series="${VERSION_ID:-unknown}"
fixed_version=""
notes=""

case "$series" in
  "25.10")
    fixed_version="2.73+ubuntu25.10.1"
    notes="Default-impact release per Canonical"
    ;;
  "24.04")
    fixed_version="2.73+ubuntu24.04.1"
    notes="Default-impact release per Canonical"
    ;;
  "22.04")
    fixed_version="2.73+ubuntu22.04.1"
    notes="Backported hardening for non-default vulnerable configurations"
    ;;
  "20.04")
    fixed_version="2.67.1+20.04ubuntu1~esm1"
    notes="Backported hardening via Ubuntu Pro/ESM for non-default vulnerable configurations"
    ;;
  "18.04")
    fixed_version="2.61.4ubuntu0.18.04.1+esm2"
    notes="Backported hardening via Ubuntu Pro/ESM for non-default vulnerable configurations"
    ;;
  "16.04")
    fixed_version="2.61.4ubuntu0.16.04.1+esm2"
    notes="Backported hardening via Ubuntu Pro/ESM for non-default vulnerable configurations"
    ;;
  *)
    print_unknown "Ubuntu version ${series} is not covered by USN-8102-1 mapping"
    ;;
esac

if dpkg --compare-versions "$installed_version" ge "$fixed_version"; then
  print_patched "snapd ${installed_version} >= fixed ${fixed_version} on Ubuntu ${series} (${notes})"
else
  print_vuln "snapd ${installed_version} < fixed ${fixed_version} on Ubuntu ${series} (${notes})"
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, scope this to Ubuntu endpoints first, especially 24.04 LTS desktops, VDI pools, dev workstations, and any shared Linux host with local user execution. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means you should schedule the actual snapd package update within the noisgate remediation SLA of ≤365 days, but in practice pull it forward on workstation images because the fix is straightforward and the blast radius of a successful local root on developer systems is ugly. If you suspect active hands-on-keyboard activity on an affected host, do not wait for the calendar: hunt for .snap path abuse and unexpected SUID binaries immediately while accelerating patching on that subset.

Sources

  1. Ubuntu CVE record
  2. Ubuntu USN-8102-1
  3. Ubuntu security notice discussion
  4. Qualys blog analysis
  5. Qualys full advisory
  6. NVD entry
  7. Elastic detection rule
  8. CISA KEV catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.