this post was submitted on 01 Apr 2026
27 points (86.5% liked)

Linux

64214 readers
479 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
27
Timing Flaw in systemd Cleanup Enables Root Privilege Escalation (cybersecurity88.com)
submitted 3 hours ago by ChrisG@lemmy.world to c/linux@lemmy.ml
12 comments fedilink hide all child comments
 

Yet another critical vulnerability in systemd, this time involving snapd. Ubuntu folk are affected.

"A serious security issue has been discovered in Ubuntu, and it is gaining attention in the cybersecurity community. The vulnerability is identified as CVE-2026-3888 and mainly affects Ubuntu Desktop systems from version 24.04 onwards. This flaw is dangerous because it allows an attacker with limited access to gain full root privileges. Root access means complete control over the entire system."

top 12 comments
sorted by: hot top controversial new old
[–] AcornTickler@sh.itjust.works 3 points 52 minutes ago (1 children)

When I need to create scratch files I usually operate in /tmp. Almost all directories there that I saw were using randomized paths (e.g. UUIDs). I guess this is to prevent problems mentioned in the article. So, I believe this would be a vulnerability of snap, not systemd.

I use Fedora where /tmp is created as tmpfs, which lives in RAM and is cleared when the system is shut down. I wonder what's the benefit of Ubuntu's approach.

[–] ChrisG@lemmy.world 1 points 10 minutes ago

If you think about it for even a minute this is still a glaring cve in systemd, exposed in this case, by misbehaving snapd. systemd still needed to be patched and so did snapd.

[–] eleijeep@piefed.social 7 points 2 hours ago (2 children)

Not a very good article. The original write-up (not linked anywhere in the article) is here: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

They also mention something else that's interesting at the bottom of the write-up:

Secondary Finding: Vulnerability in Ubuntu 25.10 uutils Coreutils

In a proactive security effort prior to the release of Ubuntu Desktop 25.10, the Qualys Threat Research Unit assisted the Ubuntu Security Team in reviewing the uutils coreutils package (a Rust rewrite of standard GNU utilities).

A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (specifically /etc/cron.daily/apport). Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.

The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.

[–] ozymandias117@lemmy.world 2 points 1 hour ago

Wait. So the flaw was in uutils, and this article reported it as a systemd bug...?

[–] ChrisG@lemmy.world 1 points 1 hour ago

Yes, thank you for the extra info!

[–] bad1080@piefed.social 2 points 1 hour ago* (last edited 1 hour ago) (1 children)

how would i know if Kubuntu 25.10 is affected (based on ubuntu)?
i guess this means yes?
command 'snap' from deb snapd (2.73+ubuntu25.10.1)
as it is lower than the version mentioned in the article "Upstream snapd: versions prior to 2.75"

now the question is how do i force an update on that thing?
sudo apt upgrade did not include an update for snapd:

Upgrading:
bpftool linux-headers-generic linux-libc-dev linux-tools-common
linux-generic linux-image-generic linux-perf

Installing dependencies:
linux-headers-6.17.0-20 linux-image-6.17.0-20-generic linux-tools-6.17.0-20
linux-headers-6.17.0-20-generic linux-modules-6.17.0-20-generic linux-tools-6.17.0-20-generic

Suggested packages:
linux-tools

Not upgrading yet due to phasing:
fwupd libfwupd3

Summary:
Upgrading: 7, Installing: 6, Removing: 0, Not Upgrading: 2
Download size: 212 MB
Space needed: 421 MB / 417 GB available

edit:
i tried sudo apt install snapd but it returned:

snapd is already the newest version (2.73+ubuntu25.10.1).
snapd set to manually installed.

edit2:
or am i save because of this?:

Ubuntu 25.10 LTS: snapd versions prior to 2.73+ubuntu25.10.1

[–] ChrisG@lemmy.world 1 points 8 minutes ago

Switch to Devuan and have a peaceful life I guess.

Cheers!

[–] eksb@programming.dev 11 points 3 hours ago* (last edited 3 hours ago) (1 children)

Yet another critical vulnerability in systemd

This is a critical vulnerability in snapd, not systemd. It sounds like it could also be exploited if something other than systemd deleted the files in /tmp/. Or if /tmp/ was not mounted.

[–] ChrisG@lemmy.world 0 points 18 minutes ago

Yet another critical vulnerability in the much vaunted systemd has been exposed by a misbehaving app - in this case snapd.

Both need patching.

[–] Skullgrid@lemmy.world 8 points 3 hours ago (1 children)

No Dylan, don't bother fixing this shit, go straight for the boot licking commit.

[–] Exec@pawb.social 5 points 2 hours ago

go straight for the /boot licking commit

FTFY

[–] tomatoely@sh.itjust.works -1 points 3 hours ago

Snap back to reality