CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root (opens in new tab)

(blog.qualys.com)

161 pointsaskl7d ago114 comments

114 comments

ptx7d ago

Better to follow the link to the technical details and just read those: https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-sys...

The article linked in the submission is more verbose but less clear and half of it is an advertisement for their product.

NooneAtAll37d ago

I love that cheeky "oh btw, there's also another vulnerability in rust coreutils rewrite, but we aren't talking about that" paragraph

cyberax7d ago

That's because it's not a vulnerability per se. They found a way to use `rm` as a gadget for their privilege escalation.

The core problem is that there's a world-writable directory that is processed by a program running as root.

1 more reply

nine_k7d ago

But this vulnerability is enabled by a very creative exploitation of the complicated bind mounting scheme used by snap-confine. Just reading about these mounts between /usr/lib to /tmp and back triggered my sense of a potential security vulnerability.

1 more reply

cadamsdotcom7d ago

This.

Might be worth updating the link.

usr11067d ago

I don't like snap and have always uninstalled it in the past. However, that gets more difficult in newer releases, so probably not a sustainable path. Still searching for the distro I could install instead of Xubuntu for friends and family who don't want or need the latest and greatest.

The main reason for my dislike is the closed source nature of snap distribution. App isolation is important and not easy. That bugs will happen and be fixed there is natural. Happens with every other system that was supposed to increase security, too.

atwrk7d ago

Have you tried Debian with the XCFE desktop? Should be pretty similar to Xubuntu (but without Snap, of course)

Sander_Marechal7d ago

I second Debian. All the good bits of Ubuntu have long since been ported back to Debian, and it has much more timely releases now.

1 more reply

littlecranky677d ago

Pop!_OS is basically Ubuntu without snap. Debian is fine, but for some reason it is ugly. Like, you can style and configure it with a thousand options, but simply fails to have a nice theme and UI out of the box.

Xiol6d ago

Worth looking at Fedora. Been using it for work and play for over a decade and it's never let me down. Absolutely solid.

usr11066d ago

I know Fedora, although haven't used it recently anymore because it's not approved at my current job.

But is that something to use by non-geeks on really low end machines?

throwa3562627d ago

I love multipass. It is a simple no BS virtualization solution and probably the best thing to come out of Ubuntu after LXD.

But I can't use it. You know why? Because despite being open source Canonical wont tell you how to compile it and install it as a standalone program. Instead all their documentation says "install via snap"... even if your are on fedora or debian or arch:

https://github.com/canonical/multipass

Snap needs to die, it is hurting everybody including canonical

fulafel7d ago

They do document how to build and run, in the OS specific build docs. Eg this: https://github.com/canonical/multipass/blob/main/BUILD.linux...

I think pointing end users to use the end user packaged app is fine, as is to trust people who are comfortable with building from source to find the build docs from the repo.

rglover7d ago

Semi-related: does anybody know of a reliable API that announces CVEs as they're published?

Edit: for others who may be curious https://www.cve.org/Downloads

Teapot1123587d ago

They publish on GitHub now https://github.com/CVEProject/cvelistV5

If you need metadata added by NVD, NVD website documents their API.

mynameajeff6d ago

We have notifications set up at my job for criticals and I quickly have learned how many 10.0 CVE's are related to random IoT devices that I can't even find via google.

ifh-hn7d ago

I wonder if, and this is just speculating not trying to start an arguement, if this sort of thing could have happened in the simpler pre-snap, pre-systemd systems? More to the point is this a cause of using more complicated software?

AgentME7d ago

Without snap, the front door is wide open: all applications you run are unconfined within your user account and can snoop on all of your files. On a normal single-user desktop system, almost everything valuable is within your user account, not root. If an attacker does want root (such as to install a rootkit that can hide itself or to access other user accounts), they can install an alias to sudo on your account and piggy-back on the next time you use it.

dogleash7d ago

Permission and timing gotchas in /tmp predate snap and systemd. It's why things like `mkstemp` exist.

I remember cron jobs that did what systemd-tmpfiles-clean does before it existed. All unix daemons using /tmp run the risk of misusing /tmp. I don't know snap well enough to say anything about it makes it uniquely more susceptible to that.

SoftTalker7d ago

The mistake seems to be using a predictable path (/tmp/.snap) in a publicly-writable directory.

1 more reply

akdor11547d ago

Well yeah, if everything runs unsandboxed as root then there are no privilege escalations!

Less pithy, i seem to recall many issue with programs that relied on suid and permission dropping, which would be the 'oldschool' way of firming up the above.

You're not wrong that complexity has been introduced, and I'm not a a fan of snap either, but ultimately sandboxes (esp backwards compatible ones that don't need source level modifications) are complex.

If you want simple and secure, you're probably looking at OpenBSD and pledge.

thayne7d ago

This isn't really systemd's fault at all. Systemd just happens to be what cleans up /tmp. You would have the same problem with tmpreaper.

The problem is snapd not protecting against something else writing to /tmp.

rlpb7d ago

It absolutely could have happened when the ecosystem norm is `curl https://third.party/installer|sudo sh`. That was the normal method for third parties to ship software before snaps came along.

We have Flatpaks to solve this problem too now, but AFAICT while Flatpaks do support sandboxing the UX for that is such that most Flatpak non-power-users aren't enforcing sandboxing on Flatpaks they install, so in practice the feature isn't present where it's most needed.

hedora7d ago

I think a better question is whether there are simpler approaches to sandboxing applications that avoid this problem by design.

The answer is definitely "yes". Many articles and books have been written about UNIX administration, and separating accounts, even without jails.

With jails, you could do even better.

sysops9x7d ago

The frustrating part is that Snap's confinement story was supposed to be a selling point. Here we are with a priv-esc in the daemon itself. At this point I've just disabled snapd on all our Ubuntu boxes and moved to flatpak or building from source. The attack surface of a privileged install daemon that parses arbitrary package manifests is just too broad.

charcircuit7d ago

When will these distros accept suid was a mistake and disable it. It has lead to critical local privilege escalation exploits so many times.

NekkoDroid7d ago

Probably never for package based distros. I could see it happening for image based distros, where systemd is slowly but surely providing all the building blocks for. It has had the option for `NoNewPrivileges=` in the `system.conf` since v239, so it isn't exactly difficult to disable for the entire system.

Though you'd be surprised how many binaries are suid binaries while they probably shouldn't be (passwd, mount, groupmems, ...), though alot can also work without being suid just more resticted in what they can do.

Vogtinator5d ago

With https://github.com/thkukuk/account-utils (not the default yet), it's meanwhile possible to run openSUSE Tumbleweed (package based) with NoNewPrivileges= as usual.

yjftsjthsd-h7d ago

> how many binaries are suid binaries while they probably shouldn't be (passwd

I would expect an unprivileged user to be able to change their own password. How else would that work?

3 more replies

simoncion7d ago

> When will these distros accept suid was a mistake and disable it.

I have the following C program that I use as an unprivileged user to put my system into and out of Game Mode.

1) Do you believe that this program is unsafe when compiled and set suid root?

2) How do you propose that I replace it with something that isn't suid root?

  #include <string.h>
  #include <stdlib.h>
  #include <stdio.h>
  #include <unistd.h>
  
  void maybe_do(const char * cmd) {
    if(system(cmd)) {
      perror(cmd);
      exit(2);
    }
  }
  
  int main(int argc, char** argv) {
    if(argc != 2) {
      return 1;
    }
    int turnOff = strncmp("on", argv[1], 2);
  
    if(setuid(0)) {
      perror("uid");
      return 2;
    }
    if(turnOff) {
      maybe_do("/usr/bin/cpupower frequency-set --governor schedutil > /dev/null");
      maybe_do("/bin/echo auto > /sys/class/drm/card0/device/power_dpm_force_performance_level");
    } else {
      maybe_do("/usr/bin/cpupower frequency-set --governor performance > /dev/null");
      maybe_do("/bin/echo high > /sys/class/drm/card0/device/power_dpm_force_performance_level");
    }
    return 0;
  }

c-hendricks7d ago

Run the part that needs root as a daemon, some server that accepts http requests

Use sudo and allow anyone to run the binary without password auth

Use the existing gamemode package

Those are a few options, of course it's your system in the end

1 more reply

charcircuit7d ago

1) I believe the current iteration you have of it is safe.

2) I suggest that a service is created for managing system performance that exposes an API to your user to turn on and off game mode.

1 more reply

wmf7d ago

Around 20 years after suid is deprecated.

AgentME7d ago

The shared /tmp/ directory that can be used by processes of multiple users seems extremely prone to causing this type of issue. I wish there was a common convention for user-specific temp directories on Linux, because a whole class of vulnerabilities could go away.

MacOS handles this great by setting $TMPDIR to some /var/folders/.../ directory that's specific to the current user. Linux does have something similar with $XDG_RUNTIME_DIR (generally /run/user/$UID/), though it's stored in memory only which is a little different from usual for /tmp/, seemingly mainly intended for small stuff like unix sockets.

NekkoDroid7d ago

> Linux does have something similar with $XDG_RUNTIME_DIR (generally /run/user/$UID/), but it's stored in memory only

On a lot (at this point I assume most) of systems /tmp is also just a tmpfs, so it also is just in memory. /var/tmp usually is storage backed though.

thayne7d ago

> I wish there was a common convention for user-specific temp directories on Linux

There kind of is. /run/user/$userId is part of a tmpfs and is owned by the user. But it isn't always used when it should be.

Systemd also has a mechanism to create private /tmp directories for services.

zokier7d ago

which of course raises the question why the fuck snap doesn't use either of these mechanisms?

aidenn07d ago

systemd-tmpfiles bugs the heck out of me. It breaks so many applications for absolutely no good reason. A typical system of mine not running it gathers less than 1GiB per year of uptime in /tmp with disk sizes measured in TB. Even if you are /tmp on a 256GB NVME, that's less than 1% of your total disk per year of uptime. If you upgrade to alternating Ubuntu LTS editions (which requires a reboot every 4 years) systemd-tmpfiles will save you a maximum of 4GB of disk space.

hedora7d ago

If you care about slow tmp leaks, you could also just use a 1-line, decade+ old solution; no additional software required, since your machine already has cron, find and xargs on it:

https://askubuntu.com/questions/431058/using-a-cronjob-to-cl...

If you miss that "will this eat my system?" adrenaline rush you get from systemd-tmpfiles, you could just use cron + find, but replace xargs with the -delete option.

linsomniac6d ago

>which requires a reboot every 4 years

We have a monitoring check and once a system reaches 200 days of uptime we start scheduling a reboot. Because you KNOW there are kernel and library updates that are probably hanging around on disc but not in memory. I used to be an uptime snob, but I've decided it does more harm than good.

Slightly related: A coworker was doing a RAM upgrade on a Sun box. I suggested that before they cracked the hardware open, they first shut it down, and then power it back on, just to make sure it would. So they wouldn't go chasing down a RAM upgrade issue when it was the system itself. I want to say that this system had years of uptime since it was last rebooted, let alone powered off. He was very glad I suggested that, because it indeed did not come back up after the power cycle.

kev0097d ago

I always wonder why Ubuntu is even on the radar anymore. It is a pile of questionable decisions with a billionaire ego bus factor. If you like apt, just use Debian. sid is fine for desktops if you are moderately technical.

linsomniac6d ago

>Ubuntu is even on the radar anymore

The biggest thing that has prevented me from switching prod systems to Debian is that the window for updates is fairly small, at around a year. 13 came out Aug 9, 2025, and 12 goes EOL June 10, 2026. Compared to Ubuntu 24.04 coming out in April 2024, and 22.04 goes EOL in May 2027 (a year after 24.04). So Ubuntu covers 2 releases plus a year.

I know a lot of people feel like this isn't a big deal, but even with Ansible it can be hard to get our fleet of a few hundred machines all upgraded in a year window, being already busy. Some of them are easy, of course, but there are some that take significant time and also involve developer work, etc...

Don't get me wrong, I think Debian is great. But in the data center, there's definitely a case for a longer support window, and I like that about Ubuntu. RHEL is even better for that, but it is very nice that Ubuntu free and Ubuntu commercial are the same, but with RHEL there is that split to CentOS being the free one (haven't used RHELs in quite a while, obviously).

kev0096d ago

Except their LTS is a lie or maybe plausible deniability for businesses that DGAF. They have no idea what they are doing with backports and lack thereof. And if you aren't paying you aren't even receiving many of the updates.

1 more reply

hedora7d ago

Debian is almost as broken as Ubuntu.

However, I've been extremely happy with Devuan. It is Debian minus some bad decisions the Ubuntu voting block forced upstream (for instance, there's no systemd).

capitainenemo7d ago

It is possible to just not use snap on ubuntu. The few ubuntu servers we have, even the couple with a minimal XFCE interface for some gui pieces, don't have snap installed. I realise local exploits happen all the time, but why add a whole new huge surface area if I don't have to.

gertrunde7d ago

It can be done, but it is quite irritating with the way that canonical have made snap a dependency in the minimal meta package. (And minimal on Ubuntu is really really super minimal, doesn't even have ping. Well apart from snap anyway).

They really went out of their way to make it awkward and annoying to take snap out.

zokier7d ago

But why bother running Ubuntu at all just to jump through hoops to avoid snaps? Snaps are obviously Ubuntus the thing, so feels counterproductive to run Ubuntu and fight against it.

capitainenemo6d ago

Most of our servers are Debian (well, mine are Devuan) but there are a few that have to be Ubuntu or Redhat for official support of COTS.

Of those choices, I prefer Ubuntu as being closer to the Debian/Devuan ones.

himata41137d ago

use debootstrap to install instead, chroot is your friend. It comes with nothing and I mean that literally while still having the superior ubuntu kernel.

thayne7d ago

Why does snap-confine need to be setuid, rather than use a user namespace?

curt157d ago

Snap supports programs running as real root. Would those work with user namespaces?

zyga6d ago

There are several reasons but at some point we can use user namespaces to remove them. I'm not particularly a HN person so I won't go into details but it's possible to drop the setuid bits sooner rather than later.

broadsidepicnic7d ago

Well, fuck snaps, that is.

Even though I've used ubuntu since 6.04, fuck snaps. I'm still stuck on Ubuntu even after 20 years. But fuck snaps.

zokier7d ago

Why are you stuck on Ubuntu, what is holding you back?

IshKebab7d ago

Eh. Definitely not great but until they make it so you can't trivially MitM sudo, I don't think any local privilege execution bugs on Linux are especially notable, at least for most desktop users. Also there's the whole xkcd "at least they can't install drivers" thing.

1 more reply

j / k navigate · click thread line to collapse

114 comments

ptx7d ago

Better to follow the link to the technical details and just read those: https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-sys...

The article linked in the submission is more verbose but less clear and half of it is an advertisement for their product.

NooneAtAll37d ago

I love that cheeky "oh btw, there's also another vulnerability in rust coreutils rewrite, but we aren't talking about that" paragraph

cyberax7d ago

That's because it's not a vulnerability per se. They found a way to use `rm` as a gadget for their privilege escalation.

The core problem is that there's a world-writable directory that is processed by a program running as root.

1 more reply

nine_k7d ago

1 more reply

cadamsdotcom7d ago

This.

Might be worth updating the link.

usr11067d ago

atwrk7d ago

Have you tried Debian with the XCFE desktop? Should be pretty similar to Xubuntu (but without Snap, of course)

Sander_Marechal7d ago

I second Debian. All the good bits of Ubuntu have long since been ported back to Debian, and it has much more timely releases now.

1 more reply

littlecranky677d ago

Xiol6d ago

Worth looking at Fedora. Been using it for work and play for over a decade and it's never let me down. Absolutely solid.

usr11066d ago

I know Fedora, although haven't used it recently anymore because it's not approved at my current job.

But is that something to use by non-geeks on really low end machines?

throwa3562627d ago

I love multipass. It is a simple no BS virtualization solution and probably the best thing to come out of Ubuntu after LXD.

https://github.com/canonical/multipass

Snap needs to die, it is hurting everybody including canonical

fulafel7d ago

They do document how to build and run, in the OS specific build docs. Eg this: https://github.com/canonical/multipass/blob/main/BUILD.linux...

I think pointing end users to use the end user packaged app is fine, as is to trust people who are comfortable with building from source to find the build docs from the repo.

rglover7d ago

Semi-related: does anybody know of a reliable API that announces CVEs as they're published?

Edit: for others who may be curious https://www.cve.org/Downloads

Teapot1123587d ago

They publish on GitHub now https://github.com/CVEProject/cvelistV5

If you need metadata added by NVD, NVD website documents their API.

mynameajeff6d ago

We have notifications set up at my job for criticals and I quickly have learned how many 10.0 CVE's are related to random IoT devices that I can't even find via google.

ifh-hn7d ago

AgentME7d ago

dogleash7d ago

Permission and timing gotchas in /tmp predate snap and systemd. It's why things like `mkstemp` exist.

SoftTalker7d ago

The mistake seems to be using a predictable path (/tmp/.snap) in a publicly-writable directory.

1 more reply

akdor11547d ago

Well yeah, if everything runs unsandboxed as root then there are no privilege escalations!

Less pithy, i seem to recall many issue with programs that relied on suid and permission dropping, which would be the 'oldschool' way of firming up the above.

If you want simple and secure, you're probably looking at OpenBSD and pledge.

thayne7d ago

This isn't really systemd's fault at all. Systemd just happens to be what cleans up /tmp. You would have the same problem with tmpreaper.

The problem is snapd not protecting against something else writing to /tmp.

rlpb7d ago

It absolutely could have happened when the ecosystem norm is `curl https://third.party/installer|sudo sh`. That was the normal method for third parties to ship software before snaps came along.

hedora7d ago

I think a better question is whether there are simpler approaches to sandboxing applications that avoid this problem by design.

The answer is definitely "yes". Many articles and books have been written about UNIX administration, and separating accounts, even without jails.

With jails, you could do even better.

sysops9x7d ago

charcircuit7d ago

When will these distros accept suid was a mistake and disable it. It has lead to critical local privilege escalation exploits so many times.

NekkoDroid7d ago

Vogtinator5d ago

With https://github.com/thkukuk/account-utils (not the default yet), it's meanwhile possible to run openSUSE Tumbleweed (package based) with NoNewPrivileges= as usual.

yjftsjthsd-h7d ago

> how many binaries are suid binaries while they probably shouldn't be (passwd

I would expect an unprivileged user to be able to change their own password. How else would that work?

3 more replies

simoncion7d ago

> When will these distros accept suid was a mistake and disable it.

I have the following C program that I use as an unprivileged user to put my system into and out of Game Mode.

1) Do you believe that this program is unsafe when compiled and set suid root?

2) How do you propose that I replace it with something that isn't suid root?

  #include <string.h>
  #include <stdlib.h>
  #include <stdio.h>
  #include <unistd.h>
  
  void maybe_do(const char * cmd) {
    if(system(cmd)) {
      perror(cmd);
      exit(2);
    }
  }
  
  int main(int argc, char** argv) {
    if(argc != 2) {
      return 1;
    }
    int turnOff = strncmp("on", argv[1], 2);
  
    if(setuid(0)) {
      perror("uid");
      return 2;
    }
    if(turnOff) {
      maybe_do("/usr/bin/cpupower frequency-set --governor schedutil > /dev/null");
      maybe_do("/bin/echo auto > /sys/class/drm/card0/device/power_dpm_force_performance_level");
    } else {
      maybe_do("/usr/bin/cpupower frequency-set --governor performance > /dev/null");
      maybe_do("/bin/echo high > /sys/class/drm/card0/device/power_dpm_force_performance_level");
    }
    return 0;
  }

c-hendricks7d ago

Run the part that needs root as a daemon, some server that accepts http requests

Use sudo and allow anyone to run the binary without password auth

Use the existing gamemode package

Those are a few options, of course it's your system in the end

1 more reply

charcircuit7d ago

1) I believe the current iteration you have of it is safe.

2) I suggest that a service is created for managing system performance that exposes an API to your user to turn on and off game mode.

1 more reply

wmf7d ago

Around 20 years after suid is deprecated.

AgentME7d ago

NekkoDroid7d ago

> Linux does have something similar with $XDG_RUNTIME_DIR (generally /run/user/$UID/), but it's stored in memory only

On a lot (at this point I assume most) of systems /tmp is also just a tmpfs, so it also is just in memory. /var/tmp usually is storage backed though.

thayne7d ago

> I wish there was a common convention for user-specific temp directories on Linux

There kind of is. /run/user/$userId is part of a tmpfs and is owned by the user. But it isn't always used when it should be.

Systemd also has a mechanism to create private /tmp directories for services.

zokier7d ago

which of course raises the question why the fuck snap doesn't use either of these mechanisms?

aidenn07d ago

hedora7d ago

If you care about slow tmp leaks, you could also just use a 1-line, decade+ old solution; no additional software required, since your machine already has cron, find and xargs on it:

https://askubuntu.com/questions/431058/using-a-cronjob-to-cl...

If you miss that "will this eat my system?" adrenaline rush you get from systemd-tmpfiles, you could just use cron + find, but replace xargs with the -delete option.

linsomniac6d ago

>which requires a reboot every 4 years

kev0097d ago

linsomniac6d ago

>Ubuntu is even on the radar anymore

kev0096d ago

1 more reply

hedora7d ago

Debian is almost as broken as Ubuntu.

However, I've been extremely happy with Devuan. It is Debian minus some bad decisions the Ubuntu voting block forced upstream (for instance, there's no systemd).

capitainenemo7d ago

gertrunde7d ago

They really went out of their way to make it awkward and annoying to take snap out.

zokier7d ago

But why bother running Ubuntu at all just to jump through hoops to avoid snaps? Snaps are obviously Ubuntus the thing, so feels counterproductive to run Ubuntu and fight against it.

capitainenemo6d ago

Most of our servers are Debian (well, mine are Devuan) but there are a few that have to be Ubuntu or Redhat for official support of COTS.

Of those choices, I prefer Ubuntu as being closer to the Debian/Devuan ones.

himata41137d ago

use debootstrap to install instead, chroot is your friend. It comes with nothing and I mean that literally while still having the superior ubuntu kernel.

thayne7d ago

Why does snap-confine need to be setuid, rather than use a user namespace?

curt157d ago

Snap supports programs running as real root. Would those work with user namespaces?

zyga6d ago

broadsidepicnic7d ago

Well, fuck snaps, that is.

Even though I've used ubuntu since 6.04, fuck snaps. I'm still stuck on Ubuntu even after 20 years. But fuck snaps.

zokier7d ago

Why are you stuck on Ubuntu, what is holding you back?

IshKebab7d ago

1 more reply

j / k navigate · click thread line to collapse