Ubuntu: root vulnerability via snapd
A vulnerability in the interaction between snapd and systemd under Ubuntu allows attackers to gain root access.
(Image: Sashkin / Shutterstock.com)
A vulnerability in the default installations of Ubuntu Desktop allows attackers to gain root privileges on vulnerable systems. This allows malicious actors to fully compromise susceptible systems. Updated packages are available.
IT researchers from Qualys discovered the vulnerability. In a blog post, they explain the problem, which is based on unintended interactions between two tools with elevated privileges. "snap-confine" is intended to isolate Snap apps in a kind of sandbox and ensure security, for example by setting up private namespaces with set-user-ID (SUID) root. The "systemd-tmpfiles" service cleans up temporary files and directories older than a defined period.
An attack is classified as complex due to the long period attackers must wait for potential success. In Ubuntu 24.04, it takes up to 30 days, and in newer versions, 10 days, until systemd deletes the critical "/tmp/.snap" directories. If the directory has been deleted, malicious actors can recreate it with low privileges on the system and place malicious code there. When the snapd sandbox is initialized by "snap-confine" next, the tool mounts these files as root, allowing arbitrary code to be executed in the root context (CVE-2026-3888, CVSS 7.8, risk "high").
Updates patch the security hole
Ubuntu provides updated snapd packages that fix the vulnerability. For Ubuntu 24.04 LTS, snapd 2.73+ubuntu24.04.1 solves the problem; for 25.10, snapd 2.73+ubuntu25.10.1; and for the currently developing 26.04 LTS (Dev), snapd 2.74.1+ubuntu26.04.1. In the snapd upstream, versions from 2.75 onwards are bug-fixed. Even though older Ubuntu versions from 16.04 to 22.04 LTS are not vulnerable by default, Qualys recommends installing the updated snapd packages.
Videos by heise
For the old Ubuntu versions, admins can still receive software updates as part of an Ubuntu Pro license. In November 2025, Canonical announced that security updates are available for up to 15 years from Ubuntu 14.04 as part of this program. This allows the old Ubuntu to be operated securely until 2029.
(dmk)
