CVE-2026-3888

Published Mar 17, 2026

Last updated 2 months ago

CVSS high 7.8
Ubuntu

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-3888 is a local privilege escalation vulnerability found in snapd on Linux systems. This flaw allows an unprivileged local attacker to gain root privileges. The vulnerability stems from an unintended interaction between two standard system components: `snap-confine`, which manages execution environments for snap applications, and `systemd-tmpfiles`, responsible for cleaning up temporary files and directories. Specifically, the issue occurs when `systemd-tmpfiles` is configured to automatically clean up snap's private `/tmp` directory. An attacker can exploit a race condition during this cleanup process to re-create the directory with malicious permissions or content before `snap-confine` utilizes it. While the exploit requires a specific time-based window, typically between 10 and 30 days, it can lead to a complete compromise of the host system. This vulnerability affects various Ubuntu versions, including 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Description
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Source
security@ubuntu.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
6
Exploitability score
1.1
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@ubuntu.com
CWE-268

Social media

Hype score
Not currently trending

  1. NEW Videoo: CVE-2026-3888: Nginx-UI Backup Leak to Root Shell + CVE-2026-27944 Snap Copy-Fail Root New video covering a full Linux exploitation chain: Unauth API → Backup leak → Credential cracking → SSH → Snapd TOCTOU privesc → Root shell https://t.co/VjCTRiQlpy

    @NullSecurityX

    13 May 2026

    5208 Impressions

    13 Retweets

    45 Likes

    22 Bookmarks

    1 Reply

    1 Quote

  2. Sorry everyone, I'm late (again) as I was taking the OSCP ! New HackTheBox walkthrough: Snapped Nginx UI CVE-2026-27944 backup extraction → bcrypt cracking → dual privesc paths (snap CVE-2026-3888 + kernel copy-fail CVE-2026-31431). Enjoy the video! https://t.co/23iQXDMVZ

    @Strikoder

    11 May 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-3888 3 - CVE-2026-40372 4 - CVE-2025-59536 5 - CVE-2026-26144 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Apr 2026

    194 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-3888 2 - CVE-2025-31277 3 - CVE-2025-55182 4 - CVE-2026-20643 5 - CVE-2026-32746 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    19 Mar 2026

    155 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.CVE-2026-43500
  2. In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().CVE-2026-43284
  3. Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-28780
  4. Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-29168
  5. Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-23918

References

Sources include official advisories and independent security research.