{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreifzhw6dctnkw53kgpwywdkuf3vygc2qjqn2g7pa7vq7lqyzlyd7h4",
    "uri": "at://did:plc:npppinc2x6on5fmrcemn2p5o/app.bsky.feed.post/3mheraafmcdy2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreigvzblq2hom322quad5pqezkqvfzrfhj75pwcmspxkwdbcr6mawlq"
    },
    "mimeType": "image/png",
    "size": 11619
  },
  "path": "/post/811469138108219392",
  "publishedAt": "2026-03-18T23:41:15.000Z",
  "site": "https://tumblr.sztupy.hu",
  "tags": [
    "CVE-2026-3888 | Ubuntu",
    "THN",
    "bind mounts"
  ],
  "textContent": "CVE-2026-3888 | Ubuntu\n\nLocal privilege escalation in snapd in Ubuntu on Linux allows local attackers to get root privilege by re-creating snap’s private /tmp directory when systemd-tmpfiles is enabled to automatically clean up this directory.\n\nQualys discovered that snapd incorrectly handled certain operations in the snap’s private /tmp directory. If systemd-tmpfiles is enabled to automatically clean up this directory, a local attacker could possibly use this issue to re-create the deleted directory, resulting in privilege escalation.\n\nFrom THN:\n\nThe attack plays out in the following manner -\n\n  * The attacker must wait for the system’s cleanup daemon to delete a critical directory (/tmp/.snap) required by snap-confine. The default period is 30 days in Ubuntu 24.04 and 10 days in later versions.\n  * Once deleted, the attacker recreates the directory with malicious payloads.\n  * During the next sandbox initialization, snap-confine bind mounts these files as root, allowing the execution of arbitrary code within the privileged context.\n\n",
  "title": "Local privilege escalation in snapd in Ubuntu on Linux allows local attackers to get root privilege…"
}