FIND-20260325-018 — CVE-2026-3888 — Ubuntu Local Privilege Escalation via snap-confine + systemd-tmpfiles Race Condition

CVE-2026-3888 is a HIGH severity (CVSS 7.8) local privilege escalation vulnerability discovered by Qualys TRU affecting default Ubuntu Desktop 24.04+ installations. The attack exploits a race condition between snap-confine and systemd-tmpfiles: systemd-tmpfiles automatically cleans /tmp/.snap after a configurable delay (10-30 days depending on Ubuntu version), and an unprivileged attacker can recreate that directory with malicious files before snap-confine runs its next sandbox initialization. Because snap-confine bind-mounts /tmp/.snap as root, arbitrary code executes with full root privileges. No user interaction is required. Exploit requires only patience (timing window). Fixed in snapd >= 2.73 on Ubuntu 24.04. Published 2026-03-17 by Qualys Threat Research Unit. ODS servers are PATCHED — running snapd 2.74.1 on Ubuntu 24.04.4 LTS (kernel 6.17.0-1009-gcp), which exceeds the minimum fix version of 2.73. Finding recorded for compliance and audit trail.

All ODS VPS nodes run Ubuntu 24.04 LTS on GCP (e2-standard-4). This CVE would allow any compromised container or process with local shell access to escalate to root, bypassing all tenant isolation and ODS service security. Impact would be catastrophic if exploited: full host compromise, access to all Docker secrets, Coolify credentials, WireGuard keys, PostgreSQL data, and Redpanda topics across all tenants. MITIGATED: snapd 2.74.1 is already deployed on ODS servers, which is above the patched threshold. No action required beyond this compliance record. Recommend verifying snapd version on all 4 GCP VPS nodes periodically.

CVE-2026-3888 — Ubuntu Local Privilege Escalation via snap-confine + systemd-tmpfiles Race Condition

Source

ODS Impact

Security Review

Tags