Linux@lemmy.mlbyChrisG@lemmy.world
8 hours

Timing Flaw in systemd Cleanup Enables Root Privilege Escalation

cybersecurity88.com English

Yet another critical vulnerability in systemd, this time involving snapd. Ubuntu folk are affected.

“A serious security issue has been discovered in Ubuntu, and it is gaining attention in the cybersecurity community. The vulnerability is identified as CVE-2026-3888 and mainly affects Ubuntu Desktop systems from version 24.04 onwards. This flaw is dangerous because it allows an attacker with limited access to gain full root privileges. Root access means complete control over the entire system.”

20
    Ubuntu CVE-2026-3888: Timing Flaw in systemd Cleanup Enables Root Privilege Escalation - Cybersecurity88
    cybersecurity88.com
    A critical Ubuntu vulnerability (CVE-2026-3888) allows attackers to gain root access through a systemd cleanup timing flaw. Learn how it works and how to fix it.
    • AcornTickler@sh.itjust.works
      5 hours

      When I need to create scratch files I usually operate in /tmp. Almost all directories there that I saw were using randomized paths (e.g. UUIDs). I guess this is to prevent problems mentioned in the article. So, I believe this would be a vulnerability of snap, not systemd.

      I use Fedora where /tmp is created as tmpfs, which lives in RAM and is cleared when the system is shut down. I wonder what’s the benefit of Ubuntu’s approach.

      • ChrisG@lemmy.worldEnglish
        5 hours

        If you think about it for even a minute this is still a glaring cve in systemd, exposed in this case, by misbehaving snapd. systemd still needed to be patched and so did snapd.

        • villainy@lemmy.world
          3 hours

          Ubuntu configures systemd-tmpfiles to delete a snapd tmp dir, snapd runs setuid root and blindly trusts/executes files from a tmp dir it does not manage the life cycle of. Where is the flaw in systemd here?

    • eleijeep@piefed.socialEnglish
      7 hours

      Not a very good article. The original write-up (not linked anywhere in the article) is here: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

      They also mention something else that’s interesting at the bottom of the write-up:

      Secondary Finding: Vulnerability in Ubuntu 25.10 uutils Coreutils

      In a proactive security effort prior to the release of Ubuntu Desktop 25.10, the Qualys Threat Research Unit assisted the Ubuntu Security Team in reviewing the uutils coreutils package (a Rust rewrite of standard GNU utilities).

      A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (specifically /etc/cron.daily/apport). Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.

      The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.

    • eksb@programming.devEnglish
      8 hours

      Yet another critical vulnerability in systemd

      This is a critical vulnerability in snapd, not systemd. It sounds like it could also be exploited if something other than systemd deleted the files in /tmp/. Or if /tmp/ was not mounted.

      • Cris_Color@piefed.worldEnglish
        1 hour

        Is it possible they mean both snapd the program and sysd the project have a vulnerability? Is snapd built by sysd, or more of like a ubuntu extension of the sysd ecosystem that they’ve built themselves?

      • ChrisG@lemmy.worldEnglish
        5 hours

        Yet another critical vulnerability in the much vaunted systemd has been exposed by a misbehaving app - in this case snapd.

        Both need patching.

    • Skullgrid@lemmy.world
      8 hours

      No Dylan, don’t bother fixing this shit, go straight for the boot licking commit.

    • bad1080@piefed.socialEnglish
      6 hours

      how would i know if Kubuntu 25.10 is affected (based on ubuntu)?
      i guess this means yes?
      command 'snap' from deb snapd (2.73+ubuntu25.10.1)
      as it is lower than the version mentioned in the article “Upstream snapd: versions prior to 2.75”

      now the question is how do i force an update on that thing?
      sudo apt upgrade did not include an update for snapd:

      Upgrading:
      bpftool linux-headers-generic linux-libc-dev linux-tools-common
      linux-generic linux-image-generic linux-perf

      Installing dependencies:
      linux-headers-6.17.0-20 linux-image-6.17.0-20-generic linux-tools-6.17.0-20
      linux-headers-6.17.0-20-generic linux-modules-6.17.0-20-generic linux-tools-6.17.0-20-generic

      Suggested packages:
      linux-tools

      Not upgrading yet due to phasing:
      fwupd libfwupd3

      Summary:
      Upgrading: 7, Installing: 6, Removing: 0, Not Upgrading: 2
      Download size: 212 MB
      Space needed: 421 MB / 417 GB available

      edit:
      i tried sudo apt install snapd but it returned:

      snapd is already the newest version (2.73+ubuntu25.10.1).
      snapd set to manually installed.

      edit2:
      or am i save because of this?:

      Ubuntu 25.10 LTS: snapd versions prior to 2.73+ubuntu25.10.1

      • ChrisG@lemmy.worldEnglish
        5 hours

        Switch to Devuan and have a peaceful life I guess.

        Cheers!

    • corsicanguppy@lemmy.caEnglish
      4 hours

      “Systemd is built badly by weaponized dunning-kruger” – pros

      exploit [happens]

      World: surprised pikachu