Critical Ubuntu Snapd Bug (CVE-2026-3888) Lets Users Get Root Access – Patch Now!

Quick Summary

• The Qualys Threat Research Unit recently discovered a serious flaw (CVE-2026-3888) in snapd, the background service that manages Snap apps.
• CVE-2026-3888 is a high-severity Local Privilege Escalation (LPE) vulnerability that allows unprivileged users to gain full root access on default installations of Ubuntu 24.04 LTS and later.
• The flaw is triggered by an unintended interaction between snap-confine (which sets up app sandboxes) and systemd-tmpfiles (which cleans up old temporary files).
• Update your Ubuntu system as soon as possible to apply the patches: sudo apt update && sudo apt upgrade -y

Introduction

A significant security flaw was recently discovered in Ubuntu, and it involves a bit of a waiting game.

The Qualys Threat Research Unit identified a Local Privilege Escalation (LPE) vulnerability, tracked as CVE-2026-3888, which allows a standard user to gain full root access.

If you manage Ubuntu systems, especially versions like 24.04 LTS, here is what you need to know to stay secure.

The Problem: A "Wrong-Way" Interaction

Unlike many bugs that live in a single line of code, this one is an "unintended interaction" between two otherwise secure system tools:

• snap-confine: This tool sets up the secure "sandbox" where your Snap apps run.
• systemd-tmpfiles: This service cleans up old files in your temporary folders to keep the system tidy.

The vulnerability happens because snapd incorrectly handles operations in a private temporary directory. If the cleanup service deletes this directory while it is still needed, an attacker can jump in, recreate it with malicious files, and trick the system into giving them root power.

A 30-Day Waiting Game

This attack is unusual because it requires extreme patience. An attacker cannot just run a script and get root immediately. Instead, they must wait for the system’s automatic cleanup timer to expire.

As noted in the Ubuntu Community Hub, the attacker has to wait for the directory to be deleted after a period of inactivity:

• Ubuntu 24.04 (Noble): 30 days of waiting.
• Ubuntu 25.10 (Questing): 10 days of waiting.

Because of this long delay, security experts rate the Attack Complexity as High. However, once the timer hits, the impact is a total compromise of the host system.

Is Your Ubuntu Version Affected?

The flaw primarily impacts default installations of Ubuntu 24.04 LTS and later. While older versions (16.04 through 22.04) are generally safe in their default state, Canonical has released "hardening" patches for them just in case someone uses a non-default setup.

Check your version of snapd and ensure you have moved to these fixed releases:

• Ubuntu 25.10: 2.73+ubuntu25.10.1
• Ubuntu 24.04 LTS: 2.73+ubuntu24.04.2
• Ubuntu 22.04 LTS: 2.73+ubuntu22.04.1
• Legacy (16.04 to 20.04): Updates are available via Ubuntu Pro.

You can check the snapd version in Ubuntu using either of these commands:

1. Check the snapd package version:

snap version

This displays the snap client version, snapd daemon version, and the series/OS info.

2. Check via apt/dpkg:

dpkg -l snapd

or

apt-cache policy snapd

3. Check the snapd service status (includes version info):

snapd --version

The most common and recommended way is snap version, which gives output like:

snap          2.74.1
snapd         2.74.1
series        16
ubuntu        24.04
kernel        6.8.0-106-generic
architecture  amd64

How to Fix It (and the "Noble" Typo)

The best way to protect yourself is a standard system update. You can run these commands in your terminal:

sudo apt update
sudo apt upgrade -y

Important Note: After the update, you must reboot your computer to make the security changes active.

Watch out for the Noble Typo

If you use Ubuntu 24.04 (Noble), there was a small hiccup with the first patch (version .1). A developer accidentally left out the letter "D" at the start of a configuration file. This caused an "Unknown command type" error during installation.

Canonical quickly fixed this with version 2.73+ubuntu24.04.2. If you saw an error message during your last update, run the update again to get the corrected version.

One More Thing: The Ubuntu 25.10 "rm" Bug

While investigating this, researchers also found a separate bug in Ubuntu 25.10. It involved a "race condition" in a new version of the rm command that could let an attacker delete files they shouldn't be able to touch.

The good news? This was caught and fixed before Ubuntu 25.10 was even released to the public by switching back to the tried-and-true GNU version of the tool.

Summary

This serious Ubuntu vulnerability (CVE-2026-3888) allows local users to gain full root access. If you run Ubuntu 24.04 or later, you should update your system right now.

• Update now: Ensure snapd is at the latest version.
• Reboot: Don't skip this step, or the patch won't fully work.
• Verify Noble: If you are on 24.04, make sure you are on version .2 or higher to avoid the typo bug.

Staying updated is your best defense. If you have unattended-upgrades enabled, your system likely handled this within 24 hours of the release.

For more technical details about this security flaw, read the detailed report from Qualys team in the link below:

• CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root