CVE-2026-3888
Published: 17 March 2026
Summary
CVE-2026-3888 is a high-severity Privilege Chaining (CWE-268) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3888 is a local privilege escalation vulnerability in snapd on Linux systems, published on 2026-03-17. It enables local attackers to obtain root privileges by re-creating snap's private /tmp directory after systemd-tmpfiles automatically cleans it up. The issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS, with a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-268.
Local attackers with low privileges can exploit this vulnerability, which requires high attack complexity. Successful exploitation allows elevation to root privileges, providing high-impact access to confidentiality, integrity, and availability across the system due to the changed scope.
Advisories from Qualys and Ubuntu detail mitigations, including patches. Key references include the Qualys vulnerability research blog (https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root), Ubuntu Discourse (https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888), and Ubuntu Security Notice USN-8102-1 (https://ubuntu.com/security/notices/USN-8102-1), which address the flaw in affected releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12570
Vulnerability details
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS,…
more
22.04 LTS, and 24.04 LTS.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a local privilege escalation vulnerability in snapd allowing low-privileged users to gain root via directory recreation race after tmpfiles cleanup; directly matches T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the snapd flaw allowing local privilege escalation via re-creation of the private /tmp directory after systemd-tmpfiles cleanup.
Vulnerability scanning identifies the presence of CVE-2026-3888 in snapd on affected Ubuntu systems, enabling timely patching.
Enforces secure configuration settings for snapd and systemd-tmpfiles to mitigate the directory cleanup race condition exploited in this vulnerability.