March 18, 2026

Snaps, root, and roast

Article URL →HN comments →

CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root

Ubuntu 'Snap' bug lets locals grab the crown—community blames complexity, suid, and chaos

TLDR: A bug in Ubuntu’s Snap tools can let a local user gain full control after a 10–30 day timing window by abusing how two system utilities interact. Commenters are split between blaming modern complexity (Snap/systemd), demanding an end to “suid,” and just linking the dense advisory—Linux drama remains unpatched.

A new flaw in Ubuntu’s app system, Snap, has the internet yelling “here we go again.” Researchers say CVE-2026-3888 can let a local user snag full root control on default Ubuntu 24.04+ by exploiting an awkward tango between two tools—snap-confine (the Snap sandbox builder) and systemd-tmpfiles (the temp-folder janitor). It’s rated High and needs a 10–30 day timing window, which only fueled the drama: is this a serious landmine, or a slow-burn gotcha?

The thread split fast. One camp is dunking on modern Linux complexity: “Could this have happened in the pre-snap, pre-systemd days?” asks a nostalgist, while another commenter goes nuclear: “suid was a mistake—turn it off.” Meanwhile, the pragmatists roll their eyes and drop the dense advisory link, with one sighing the article is “more verbose but less clear” and urging folks to read the raw tech write-up.

Bonus subplot: a side vulnerability in the Rust-based “uutils” core tools for Ubuntu 25.10 got quietly sidestepped by swapping its rm with the classic GNU version—cue memes about “rm -rf” becoming “rm -WTF.” Others traded helpful links to the CVE feed.

The vibe? Equal parts “patch now!”, “too many moving parts!”, and “read the manual.” Also: the “Year of the Linux Desktop”… but only if you wait 10–30 days.

Key Points

  • Qualys Threat Research Unit disclosed CVE-2026-3888, a High-severity LPE affecting default Ubuntu Desktop 24.04 and later.
  • The vulnerability arises from an unintended interaction between snap-confine (setuid-root) and systemd-tmpfiles.
  • Successful exploitation grants full root access, enabling complete host compromise.
  • Attack complexity is High due to a 10–30 day timing window tied to systemd-tmpfiles’ /tmp cleanup cycles.
  • A separate vulnerability in uutils coreutils for Ubuntu 25.10 was found and mitigated pre-release with the Ubuntu Security Team.

Hottest takes

"accept suid was a mistake and disable it" — charcircuit
"More verbose but less clear" — ptx
"could this have happened in the simpler pre-snap, pre-systemd systems?" — ifh-hn

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.