Cyber Resilience

CVE-2026-3888

HighUpdated

Published: 17 March 2026

Published
17 March 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3888 is a high-severity Privilege Chaining (CWE-268) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3888 is a local privilege escalation vulnerability in snapd on Linux systems, published on 2026-03-17. It enables local attackers to obtain root privileges by re-creating snap's private /tmp directory after systemd-tmpfiles automatically cleans it up. The issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS, with a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-268.

Local attackers with low privileges can exploit this vulnerability, which requires high attack complexity. Successful exploitation allows elevation to root privileges, providing high-impact access to confidentiality, integrity, and availability across the system due to the changed scope.

Advisories from Qualys and Ubuntu detail mitigations, including patches. Key references include the Qualys vulnerability research blog (https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root), Ubuntu Discourse (https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888), and Ubuntu Security Notice USN-8102-1 (https://ubuntu.com/security/notices/USN-8102-1), which address the flaw in affected releases.

EU & UK References

Vulnerability details

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS,…

more

22.04 LTS, and 24.04 LTS.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE describes a local privilege escalation vulnerability in snapd allowing low-privileged users to gain root via directory recreation race after tmpfiles cleanup; directly matches T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34179Same vendor: Canonical
CVE-2025-33208Same product: Canonical Ubuntu Linux
CVE-2026-34178Same vendor: Canonical
CVE-2026-32693Same vendor: Canonical
CVE-2026-32692Same vendor: Canonical
CVE-2025-0889Shared CWE-268
CVE-2026-34177Same vendor: Canonical
CVE-2025-14551Same vendor: Canonical
CVE-2025-15480Same vendor: Canonical
CVE-2025-0928Same vendor: Canonical

Affected Assets

canonical
ubuntu linux
16.04, 18.04, 20.04, 22.04, 24.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the snapd flaw allowing local privilege escalation via re-creation of the private /tmp directory after systemd-tmpfiles cleanup.

detect

Vulnerability scanning identifies the presence of CVE-2026-3888 in snapd on affected Ubuntu systems, enabling timely patching.

prevent

Enforces secure configuration settings for snapd and systemd-tmpfiles to mitigate the directory cleanup race condition exploited in this vulnerability.

References