Local privilege escalation in snapd in Ubuntu on Linux allows local attackers to get root privilege…

CVE-2026-3888 | Ubuntu Local privilege escalation in snapd in Ubuntu on Linux allows local attackers to get root privilege by re-creating snap’s private /tmp directory when systemd-tmpfiles is enabled to automatically clean up this directory. Qualys discovered that snapd incorrectly handled certain operations in the snap’s private /tmp directory. If systemd-tmpfiles is enabled to automatically clean up this directory, a local attacker could possibly use this issue to re-create the deleted directory, resulting in privilege escalation. From THN: The attack plays out in the following manner - * The attacker must wait for the system’s cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions. * Once deleted, the attacker recreates the directory with malicious payloads. * During the next sandbox initialization, snap-confine bind mounts these files as root, allowing the execution of arbitrary code within the privileged context.