Canonical has published details for CVE-2026-3888, a high-severity local privilege escalation vulnerability affecting Ubuntu systems that use snapd with systemd-tmpfiles cleanup enabled. According to Ubuntu, the issue allows a local attacker to gain root privileges by re-creating snap’s private /tmp directory after it has been removed by automated cleanup.
Ubuntu’s advisory describes the flaw as an incorrect handling issue in snapd involving operations in snap’s private temporary directory. If systemd-tmpfiles is configured to automatically clean stale data, a low-privileged local attacker may be able to re-create the deleted directory and trigger privilege escalation to root.
Media coverage from The Hacker News adds operational context from Qualys, which said the exploit chain depends on the timing of cleanup cycles and can take advantage of the interaction between snap-confine and systemd-tmpfiles. The report says the attack does not require user interaction, but does depend on a timing window tied to directory cleanup.
Canonical rates the issue as High with a CVSS 3.1 score of 7.8. Ubuntu marks fixes as available for supported releases, including Ubuntu 24.04 LTS, 22.04 LTS and 25.10, while older LTS branches such as 20.04, 18.04 and 16.04 receive fixes through Ubuntu Pro / ESM channels.
The issue matters because it turns a local foothold into full root compromise on affected systems. For organizations using Ubuntu endpoints, desktops or developer workstations with snapd enabled, patching and package verification are the immediate priorities. Tenable has also released detection coverage for the issue through Nessus plugin 302821.