Security researchers at Qualys Threat Research Unit (TRU) have disclosed a local privilege escalation vulnerability affecting default installations of Ubuntu Desktop 24.04 and later.
Qualys said the flaw, tracked as CVE-2026-3888, could allow an unprivileged local attacker to gain full root access by exploiting the interaction between two standard system components: snap-confine and systemd-tmpfiles.
According to the disclosure, successful exploitation depends on a specific time-based window of 10 to 30 days. If exploited, the impact would be a complete compromise of the affected host, Qualys said.
Qualys’ technical write-up is available at: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
