Security alert at Ubuntu 24.04: failure between snapd and systemd-tmpfiles could grant root access to a local attacker

A high-gravity vulnerability detected in Ubuntu Desktop default facilities from 24.04 has ignited the alarms in the security community: a failure that could allow a local attacker with no privileges to climb to full root access. The research was published by the Qualys Threat Research Unit, which has described how the interaction between two standard system components - the snaps containment manager and the temporary file automatic cleaner - can open a window for a total team engagement. You can read the original report of Qualys Here. and the entry of the CVE into the NVD database is available in the public register of NIST.

In simple terms, the problem arises from an accidental collision between snap- confines - the component that prepares and isolates the running environments of the distributed applications like snaps - and systemd-tmpfiles, the service that regularly cleans files and time directories of the system. Under default conditions, systemd-tmpfiles can remove directories that snap@-@ confine hopes to find and recreate with secure permits. If an attacker is able to anticipate that deletion, he can recreate the space removed with manipulated content that, when mounted by snap-confines, ends up running with root privileges.

The difficulty of the attack is not in requiring high privileges or user interaction: the operation only needs local account and code execution by the attacker. What complicates exploitation is the time factor. Systemd-tmpfiles acts according to age thresholds and, in Ubuntu default configurations, this period is relatively long: in Ubuntu 24.04 the cleaning of certain content is scheduled every 30 days, while in later versions the default period may be 10 days. That is, the explosion depends on waiting for the daemon to delete a critical directory and take advantage of the window left to place the malicious trap before the next sandbox initialization.

Qualys rated vulnerability as of high gravity, with a CVSS score of 7.8, because the potential impact is the total take of the host. The failure has been recorded as CVE-2026-3888 and there are already published corrections in the affected branches of snapd, the service responsible for managing snap packages. The affected versions and corrections have been displayed in both Ubuntu packages and in the snapd upstream development; the upstream launch page is a good reference point to see the corrected versions: snapd releases. To better understand the cleaning behavior that allows the attack, the system documentation on system-tmpfiles provides useful technical context: systemd-tmpfiles (man).

Parallel to this problem, Qualys identified another career weakness in the implementation of system utilities by the uuutils project (a reimplementation in Rust of traditional choreutils). This failure allows a local attacker to replace directory entries with symbolic links during scheduled execution by cron under root user, which could result in arbitrary deletion of files such as root or other climbing vectors by targeting sensitive directories used by snaps. Canonical reacted to this risk by temporarily reversing the default rm command to the classic GNU choreutils variant on the Ubuntu 25.10 path, while the Uutils maintainers have applied upstream corrections in their repository: uutils / choreutils.

If you use Ubuntu Desktop in one of the affected branches, the immediate recommendation is to install the updates published by your distribution for snapd and be up to date with Ubuntu security notices. The Ubuntu security centre offers an overview of notices and newsletters, and is a good starting point for following official corrections: Ubuntu Security. In general, updating snapd using system tools (apt, snap refresh, or the procedure that your version applies) is the most direct way to close this gap. For administrators in need of additional rapid mitigation, review the system-tmpfiles configuration to shorten cleaning windows or change policies on which routes they purge can reduce the attack surface until the correction is applied - always from the prudence and checking the operational impact of these changes.

This incident highlights a recurring lesson in security: even components designed to isolate and protect - such as snap sandboxes - can be unsafe when they interact with other parts of the system that were not designed to cooperate in that scenario. The chain of trust is as solid as the weakest link, and in this case the temporary synchronization of maintenance tasks created that link. Maintaining up-to-date systems, reviewing default configurations and monitoring vendor security communications are practices that, although basic, continue to be the most effective in reducing risk.

For those who want to deepen the technical aspects, the detailed analysis of Qualys is a good starting point, and the links to the snapd and uuutils repositories allow you to follow the corrections and understand how the code-level errors have been addressed. The NIST note also offers the classification and history of the CVE, useful for integrating information into corporate vulnerability management processes. Stay alert to updates and apply recommended patches as soon as possible to protect equipment and data.