Description
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Published: 2026-03-17
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in snapd on Linux allows a local attacker to obtain root privileges by exploiting the way the service recreates snap's private /tmp directory when systemd-tmpfiles reclaims system temporary files. This flaw, identified as CWE-268 (Missing Authorization Functionality), enables an unauthenticated local user to gain full administrative control over the affected system, compromising confidentiality, integrity, and availability at the host level.

Affected Systems

Affected versions include Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS as provided by the vendor. No finer-grained version details are supplied in the CVE data, so all releases of snapd running under Canonical’s Ubuntu distributions are potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires local system access, a user who can execute code on the machine may trigger the re-creation of the private /tmp directory and elevate privileges. No mention of network-based exploitation or remote resources is made in the description, so the vector is inferred to be local only.

Generated by OpenCVE AI on March 17, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest snapd update from Canonical’s official repositories to apply any vendor‐supplied fix
  • Verify and, if necessary, modify systemd-tmpfiles rules so that the /tmp directory used by snapd is not automatically deleted or recreated
  • Monitor system logs for unusual activity indicating attempted privilege escalation or unauthorized subscription access

Generated by OpenCVE AI on March 17, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6170-1 snapd security update
Ubuntu USN Ubuntu USN USN-8102-1 snapd vulnerability
Ubuntu USN Ubuntu USN USN-8102-2 snapd regression
History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical ubuntu
Vendors & Products Canonical
Canonical ubuntu

Wed, 18 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Title Local Privilege Escalation in snapd
Weaknesses CWE-268
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Canonical Ubuntu
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-18T08:59:07.522Z

Reserved: 2026-03-10T16:03:08.583Z

Link: CVE-2026-3888

cve-icon Vulnrichment

Updated: 2026-03-18T03:02:10.640Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T14:16:17.410

Modified: 2026-03-18T04:17:30.720

Link: CVE-2026-3888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:18Z

Weaknesses