CVE-2026-3888
Local Privilege Escalation in snapd
Description
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
INFO
Published Date :
March 17, 2026, 2:16 p.m.
Last Modified :
June 4, 2026, 2:43 p.m.
Remotely Exploit :
No
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-3888
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | cc1ad9ee-3454-478d-9317-d3e869d708bc | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update the snapd package on affected systems.
- Restart the snapd service after updating.
- Verify the patch is applied successfully.
Public PoC/Exploit Available at Github
CVE-2026-3888 has a 20 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-3888.
| URL | Resource |
|---|---|
| https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root | Mitigation Third Party Advisory |
| https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt | Third Party Advisory |
| https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888 | Mitigation Third Party Advisory |
| https://ubuntu.com/security/CVE-2026-3888 | Third Party Advisory |
| https://ubuntu.com/security/notices/USN-8102-1 | Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2026/03/18/1 | Mailing List Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-3888 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-3888
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Repositorio dedicado a máquinas de Hack The Box (HTB), donde compartiré writeups con fines educativos. El objetivo es documentar metodologías, técnicas de enumeración, explotación y escalada de privilegios para el aprendizaje práctico de ciberseguridad y pentesting ético.
May 2026 trending CVE scanners - PAN-OS, WordPress, BeyondTrust, GHE, ingress-nginx
Python
None
HTB Snapped — Hard Linux machine writeup. CVE-2026-27944 (Nginx UI unauthenticated backup disclosure) chained with CVE-2026-3888 (snapd race condition LPE) to achieve full system compromise.
Ger. HTB writeups
ctf cybersecurity hackthebox oscp-prep penetration-testing writeups
基于 claude-agent-sdk 的智能渗透测试 Agent,用于参与第二届 TCH 智能渗透挑战赛。
Dockerfile Shell Python
🛡️ VPS-SECURE is the only script that turns a bare VPS into an operational fortress — honeypot, collaborative IPS, real-time dashboard, Telegram alerts — in 15 minutes and 1 command, with zero Linux expertise required. 🚀⚡
bash crowdsec devops docker hardening homelab linux security selfhosted server-security sysadmin ubuntu vps auditd endlessh rkhunter aide vps-hardening cis-benchmark stig
Shell HTML Python Dockerfile
None
C
Linux LPE via snap-confine + systemd-tmpfiles, explained in depth
C
None
C
None
Python C
This is a script designed for deployment on ubuntu instances patching the CVE-2026-3888 exploit
Shell
This script demonstrates a race condition vulnerability in snapd that allows a local, unprivileged user to gain root privileges. The exploit works by recreating snap's private /tmp directory after it's cleaned up by systemd-tmpfiles, and tricking snap-confine into bind-mounting malicious files into the snap's sandbox.
Python
None
PowerShell Shell Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-3888 vulnerability anywhere in the article.
-
Daily CyberSecurity
Three Silent Vulnerabilities Discovered in the glibc Core
The core of many Linux-based operating systems is facing a series of security challenges. Recent advisories for the GNU C Library (glibc) have disclosed three distinct vulnerabilities ranging from hea ... Read more
-
The Hacker News
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories. This edition covers a ... Read more
-
The Hacker News
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as CVE-2026-3888 (CVSS sco ... Read more
-
CybersecurityNews
Ubuntu Desktop Systems Vulnerability Enables Attackers to Gain Full Root Access
Ubuntu Desktop Systems Vulnerability A Local Privilege Escalation (LPE) vulnerability in default installations of Ubuntu Desktop 24.04 and later allows an unprivileged local attacker to gain full root ... Read more
The following table lists the changes that have been made to the
CVE-2026-3888 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 04, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:* Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/03/18/1 Types: Mailing List, Third Party Advisory Added Reference Type Canonical Ltd.: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root Types: Mitigation, Third Party Advisory Added Reference Type Canonical Ltd.: https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt Types: Third Party Advisory Added Reference Type Canonical Ltd.: https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888 Types: Mitigation, Third Party Advisory Added Reference Type Canonical Ltd.: https://ubuntu.com/security/CVE-2026-3888 Types: Third Party Advisory Added Reference Type Canonical Ltd.: https://ubuntu.com/security/notices/USN-8102-1 Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Mar. 18, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/03/18/1 -
CVE Modified by [email protected]
Mar. 18, 2026
Action Type Old Value New Value Added Reference https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root Added Reference https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt Added Reference https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888 Added Reference https://ubuntu.com/security/notices/USN-8102-1 -
New CVE Received by [email protected]
Mar. 17, 2026
Action Type Old Value New Value Added Description Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS. Added CVSS V3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-268 Added Reference https://ubuntu.com/security/CVE-2026-3888