Ubuntu patches timer-based root access (CVE-2026-3888)
Ubuntu Desktop 24.04+ is patched for CVE-2026-3888, a high-severity local privilege-escalation that can occur via a timing window in systemd-tmpfiles cleanup interacting with snap-confine. An unprivileged attacker could wait for the cleanup to delete /tmp/.snap, recreate it with a payload, and have it bound as root on the next sandbox initialization. Patches are available through updated snapd versions across Ubuntu 24.04.x, 25.10.x, 26.04.x, and upstream; exploitation requires a 10–30 day window and no user interaction. The report also notes a separate race-condition in uutils coreutils that could enable root-level file operations during cron, mitigated by reverting rm to GNU coreutils in Ubuntu 25.10 and applying upstream uutils fixes. Users should apply the patched snapd updates to mitigate risk.