Skip to content
Threat Feed
high advisory

Potential snap-confine Privilege Escalation via CVE-2026-3888

An unprivileged user may exploit CVE-2026-3888 to escalate privileges to root by creating malicious files in the /tmp/.snap directory.

CVE-2026-3888 is a local privilege escalation vulnerability affecting Ubuntu systems using snap-confine. The vulnerability exists because systemd-tmpfiles may delete the /tmp/.snap directory, which is normally created by root. An unprivileged user can then recreate this directory and populate it with attacker-controlled files. The snap-confine utility, during subsequent snap sandbox initialization, may then bind-mount or trust these attacker-controlled paths. This can lead to the manipulation…

Detection coverage 2

Detect Non-Root File Creation in Snap Temporary Directories

high

Detects file creation by non-root users in /tmp/.snap or /tmp/snap-private-tmp/*/tmp/.snap, indicative of CVE-2026-3888 exploitation attempts.

sigma tactics: cve-2026-3888, privilege_escalation techniques: T1068 sources: file_event, linux

Detect Snap Confine Execution with Suspicious Arguments

medium

Detects snap-confine execution with arguments pointing to the /tmp/.snap directory, potentially indicating exploitation of CVE-2026-3888.

sigma tactics: cve-2026-3888, privilege_escalation techniques: T1068 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →