CVE-2026-3888

Published Mar 17, 2026

Last updated 2 months ago

CVSS high 7.8
Ubuntu

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-3888 is a local privilege escalation vulnerability found in snapd on Linux systems. This flaw allows an unprivileged local attacker to gain root privileges. The vulnerability stems from an unintended interaction between two standard system components: `snap-confine`, which manages execution environments for snap applications, and `systemd-tmpfiles`, responsible for cleaning up temporary files and directories. Specifically, the issue occurs when `systemd-tmpfiles` is configured to automatically clean up snap's private `/tmp` directory. An attacker can exploit a race condition during this cleanup process to re-create the directory with malicious permissions or content before `snap-confine` utilizes it. While the exploit requires a specific time-based window, typically between 10 and 30 days, it can lead to a complete compromise of the host system. This vulnerability affects various Ubuntu versions, including 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Description
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Source
security@ubuntu.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
6
Exploitability score
1.1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@ubuntu.com
CWE-268

Social media

Hype score
Not currently trending

  1. Nginx-UIdeki yedekleme sızıntısından root kabuğuna uzanan CVE-2026-3888 ve Snap Copy-Fail root açığı CVE-2026-27944 - yarın detayları paylaşıyoruz. Takipte kalın. https://t.co/2SElhCfANS

    @r3csec

    20 May 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. NEW Videoo: CVE-2026-3888: Nginx-UI Backup Leak to Root Shell + CVE-2026-27944 Snap Copy-Fail Root New video covering a full Linux exploitation chain: Unauth API → Backup leak → Credential cracking → SSH → Snapd TOCTOU privesc → Root shell https://t.co/VjCTRiQlpy

    @NullSecurityX

    13 May 2026

    5208 Impressions

    13 Retweets

    45 Likes

    22 Bookmarks

    1 Reply

    1 Quote

  3. Sorry everyone, I'm late (again) as I was taking the OSCP ! New HackTheBox walkthrough: Snapped Nginx UI CVE-2026-27944 backup extraction → bcrypt cracking → dual privesc paths (snap CVE-2026-3888 + kernel copy-fail CVE-2026-31431). Enjoy the video! https://t.co/23iQXDMVZ

    @Strikoder

    11 May 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-3888 3 - CVE-2026-40372 4 - CVE-2025-59536 5 - CVE-2026-26144 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Apr 2026

    194 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Top 5 Trending CVEs: 1 - CVE-2026-3888 2 - CVE-2025-31277 3 - CVE-2025-55182 4 - CVE-2026-20643 5 - CVE-2026-32746 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    19 Mar 2026

    155 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Related CVEs

  1. Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.CVE-2026-29518
  2. NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.CVE-2026-33278
  3. Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.CVE-2026-43618
  4. In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.CVE-2026-46333
  5. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42945

References

Sources include official advisories and independent security research.