Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit
Source: The Hacker News
Published: Wed, 18 Mar 2026 08:08:00 GMT
A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level.
Tracked as CVE-2026-3888 (CVSS score: 7.8), the issue could allow an attacker to seize control of a susceptible system.
"This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles," the Qualys Threat Research Unit (TRU) said . "While the exploit requires a specific time-based window (10–30 days), the resulting impact is a complete compromise of the host system."
The problem, Qualys noted, stems from the unintended interaction of snap-confine, which manages execution environments for snap applications by creating a sandbox, and systemd-tmpfiles, which automatically cleans up temporary files and directories (e.g.,/tmp, /run, and /var/tmp) older than a defined threshold.
The vulnerability has been patched in the following versions -
The attack requires low privileges and no user interaction, although the attack complexity is high due to the time-delay mechanism in the exploit chain.
"In default configurations, systemd-tmpfiles is scheduled to remove stale data in /tmp," Qualys said. "An attacker can exploit this by manipulating the timing of these cleanup cycles."
The attack plays out in the following manner -
In addition, Qualys said it discovered a race condition flaw in the uutils coreutils package that allows an unprivileged local attacker to replace directory entries with symbolic links (aka symlinks) during root-owned cron executions.
"Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories," the cybersecurity company said. "The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository."
A practical deep dive into securing AI agents against real-world attack paths beyond the model itself.
See exactly where your controls stand against today’s threats—automated, accurate, approachable.
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.
Source
Original report: https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html