CVE-2026-3888

EUVD-2026-12570
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
20.04
canonicalubuntu_linux
22.04
canonicalubuntu_linux
24.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
snapd
bookworm
2.57.6-1+deb12u1
fixed
bookworm (security)
2.57.6-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
2.68.3-3+deb13u1
fixed
trixie (security)
2.68.3-3+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
snapd
bionic
Fixed 2.61.4ubuntu0.18.04.1+esm2
released
focal
Fixed 2.67.1+20.04ubuntu1~esm1
released
jammy
Fixed 2.73+ubuntu22.04.1
released
noble
Fixed 2.73+ubuntu24.04.2
released
questing
Fixed 2.73+ubuntu25.10.1
released
resolute
Fixed 2.74.1+ubuntu26.04.3
released
xenial
Fixed 2.61.4ubuntu0.16.04.1+esm2
released
Common Weakness Enumeration
References
https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt
https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888
https://ubuntu.com/security/CVE-2026-3888
https://ubuntu.com/security/notices/USN-8102-1
http://www.openwall.com/lists/oss-security/2026/03/18/1