CWE-268
Privilege Chaining
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
CVE-2026-3888 (GCVE-0-2026-3888)
Vulnerability from cvelistv5 – Published: 2026-03-17 14:02 – Updated: 2026-03-18 08:59
VLAI
Title
Local Privilege Escalation in snapd
Summary
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Severity
7.8 (High)
CWE
- CWE-268 - Privilege chaining
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2026-3888 | vdb-entryissue-tracking |
| https://ubuntu.com/security/notices/USN-8102-1 | vendor-advisory |
| https://discourse.ubuntu.com/t/snapd-local-privil… | technical-descriptionvendor-advisory |
| https://blog.qualys.com/vulnerabilities-threat-re… | technical-descriptionmedia-coverage |
| https://cdn2.qualys.com/advisory/2026/03/17/snap-… | technical-descriptionmedia-coverage |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
0 , < 2.75.1
(semver)
|
|||
| Canonical | Ubuntu 16.04 LTS |
Unaffected:
2.61.4ubuntu0.16.04.1+esm2 , < *
(dpkg)
|
|
| Canonical | Ubuntu 18.04 LTS |
Unaffected:
2.61.4ubuntu0.18.04.1+esm2 , < *
(dpkg)
|
|
| Canonical | Ubuntu 20.04 LTS |
Unaffected:
2.67.1+20.04ubuntu1~esm1 , < *
(dpkg)
|
|
| Canonical | Ubuntu 22.04 LTS |
Unaffected:
2.73+ubuntu22.04.1 , < *
(dpkg)
|
|
| Canonical | Ubuntu 24.04 LTS |
Unaffected:
2.73+ubuntu24.04.2 , < *
(dpkg)
|
Date Public
2026-03-17 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T03:55:45.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-18T03:02:10.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "snapd",
"repo": "https://github.com/canonical/snapd/",
"versions": [
{
"lessThan": "2.75.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.61.4ubuntu0.16.04.1+esm2",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.61.4ubuntu0.18.04.1+esm2",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.67.1+20.04ubuntu1~esm1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.73+ubuntu22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.73+ubuntu24.04.2",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qualys Security Advisory Team"
}
],
"datePublic": "2026-03-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap\u0027s private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-268",
"description": "CWE-268 Privilege chaining",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T08:59:07.522Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry",
"issue-tracking"
],
"url": "https://ubuntu.com/security/CVE-2026-3888"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-8102-1"
},
{
"tags": [
"technical-description",
"vendor-advisory"
],
"url": "https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888"
},
{
"tags": [
"technical-description",
"media-coverage"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root"
},
{
"tags": [
"technical-description",
"media-coverage"
],
"url": "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation in snapd"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-3888",
"datePublished": "2026-03-17T14:02:08.475Z",
"dateReserved": "2026-03-10T16:03:08.583Z",
"dateUpdated": "2026-03-18T08:59:07.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-49
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Mitigation ID: MIT-1
Phases: Architecture and Design, Operation
Description:
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-17
Phases: Architecture and Design, Operation
Strategy: Environment Hardening
Description:
- Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.