CVE-2026-3888

EUVD-2026-12570
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
canonicalCNA
7.8 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
snapd
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
snapd
bionic
Fixed 2.61.4ubuntu0.18.04.1+esm2
released
focal
Fixed 2.67.1+20.04ubuntu1~esm1
released
jammy
Fixed 2.73+ubuntu22.04.1
released
noble
Fixed 2.73+ubuntu24.04.2
released
questing
Fixed 2.73+ubuntu25.10.1
released
xenial
Fixed 2.61.4ubuntu0.16.04.1+esm2
released
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt
https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888
https://ubuntu.com/security/CVE-2026-3888
https://ubuntu.com/security/notices/USN-8102-1
http://www.openwall.com/lists/oss-security/2026/03/18/1