CVE-2026-3888: Important Snap Flaw Enables Local Privilege Escalation to Root

(blog.qualys.com)

32 points by askl4 hours ago

4 comments

ptx1 hour ago
Better to follow the link to the technical details and just read those: <a href="https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt" rel="nofollow">https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-sys...</a>The article linked in the submission is more verbose but less clear and half of it is an advertisement for their product.
rglover13 minutes ago
Semi-related: does anybody know of a reliable API that announces CVEs as they're published?
ifh-hn1 hour ago
I wonder if, and this is just speculating not trying to start an arguement, if this sort of thing could have happened in the simpler pre-snap, pre-systemd systems? More to the point is this a cause of using more complicated software?
- dogleash1 hour ago
 Permission and timing gotchas in /tmp predate snap and systemd. It's why things like `mkstemp` exist.I remember cron jobs that did what systemd-tmpfiles-clean does before it existed. All unix daemons using /tmp run the risk of misusing /tmp. I don't know snap well enough to say anything about it makes it uniquely more susceptible to that.
 - SoftTalker34 minutes ago
 The mistake seems to be using a predictable path (/tmp/.snap) in a publicly-writable directory.
cyberpunk1 hour ago
[flagged]
- dgxyz31 minutes ago
 Rewrite tools in new language, get new exciting bugs!
- delamon1 hour ago
 Rust cannot help you if race condition crosses API boundary. No matter what language you use, you have to think about system as a whole. Failure to do that results in bugs like this
 - bangaladore1 hour ago
 The bigger problem here is it seems like the rust utilities were rushed to be released without extensive testing or security analysis because simply because they are written in rust. And this isn't the first serious flaw because of that.Doesn't surprise me coming from Canonical though.At least that's the vibe I'm getting from [1] and definitely [2][1] <a href="https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt" rel="nofollow">https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-sys...</a> [2] <a href="https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2111815" rel="nofollow">https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bu...</a>
 - yjftsjthsd-h46 minutes ago
 The best discussion I can find for the official reasons for switching is <a href="https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995" rel="nofollow">https://discourse.ubuntu.com/t/carefully-but-purposefully-ox...</a> -> But… why?> Performance is a frequently cited rationale for “Rewrite it in Rust” projects. While performance is high on my list of priorities, it’s not the primary driver behind this change. These utilities are at the heart of the distribution - and it’s the enhanced resilience and safety that is more easily achieved with Rust ports that are most attractive to me.> The Rust language, its type system and its borrow checker (and its community!) work together to encourage developers to write safe, sound, resilient software. With added safety comes an increase in security guarantees, and with an increase in security comes an increase in overall resilience of the system - and where better to start than with the foundational tools that build the distribution?So yes, it sounds like the primary official reason is "enhanced resilience and safety". Given that, I would be interested in seeing the number of security problems in each implementation over time. GNU coreutils does have problems from time to time, but... <a href="https://app.opencve.io/cve/?product=coreutils&vendor=gnu" rel="nofollow">https://app.opencve.io/cve/?product=coreutils&vendor=gnu</a> only seems to list 10 CVEs since 2005. Unfortunately I can't find an equivalent for uutils, but just from news coverage I'm pretty sure they have a worse track record thus far.