UBUNTU has been disclosed as having a high-severity flaw, CVE-2026-3888, that could let an unprivileged local attacker escalate to root on default installations of Ubuntu Desktop 24.04 and later. According to Qualys Threat Research Unit (TRU), the issue arises from the interaction of snap-confine and systemd-tmpfiles, and requires a specific time-based window of 10–30 days to exploit.
The bug stems from systemd-tmpfiles’ routine cleanup of temporary directories, which can be timed to allow an attacker to manipulate the cleanup cycle and, after the deletion of a critical directory, recreate it with a payload that snap-confine binds as root during sandbox initialisation. The attack is possible with low privileges and no user interaction, though the exploit chain is complex due to the time-delay mechanism.
The vulnerability has been mitigated in various releases, with patches for Ubuntu 24.04 LTS and later, including snapd versions noted in the article, and related upstream fixes to the uutils coreutils package were also observed. The piece also notes that the default rm and cron behaviours were adjusted in some versions to reduce risk prior to Ubuntu 25.10. The disclosure appeared on 18 March 2026.