Yet another critical vulnerability in systemd
This is a critical vulnerability in snapd, not systemd. It sounds like it could also be exploited if something other than systemd deleted the files in /tmp/. Or if /tmp/ was not mounted.
this post was submitted on 01 Apr 2026
46 points (78.8% liked)
Linux
65097 readers
944 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 7 years ago
MODERATORS
Is it possible they mean both snapd the program and sysd the project have a vulnerability? Is snapd built by sysd, or more of like a ubuntu extension of the sysd ecosystem that they've built themselves?
Snap is Canonical's project AFAIK
Not a very good article. The original write-up (not linked anywhere in the article) is here: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root
They also mention something else that's interesting at the bottom of the write-up:
Secondary Finding: Vulnerability in Ubuntu 25.10 uutils Coreutils
In a proactive security effort prior to the release of Ubuntu Desktop 25.10, the Qualys Threat Research Unit assisted the Ubuntu Security Team in reviewing the uutils coreutils package (a Rust rewrite of standard GNU utilities).
A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (specifically /etc/cron.daily/apport). Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.
The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.
Wait. So the flaw was in uutils, and this article reported it as a systemd bug...?
And, even further: a rust implementation vulnerability too?
(Waits for C vs Rust war to start...)
Yes, thank you for the extra info!
snap
well there's your problem
This is not a systemd flaw. This is a snap bug.
The main reason behind this issue is the interaction between two system components. The first is snap-confine, which manages sandboxing for snap applications. The second is systemd-tmpfiles, which handles automatic cleanup of temporary files. Both are safe individually, but together they create a timing-based weakness.
The attack works in a simple but smart way and does not require complex steps. Ubuntu automatically deletes old files from the /tmp directory after a certain number of days. During this cleanup, an important directory used by snap-confine may get removed. This creates an opportunity for the attacker to act.
Once the directory is deleted, the attacker quickly recreates it with malicious content. These files are placed in a way that tricks the system into trusting them. When a snap application runs again, the system may load these files. Since snap-confine runs with higher privileges, the attacker’s code gets executed as root.
systemd cleans up /tmp periodically. That's it. No bug or exploit.
snap-confine is the program that reads files from /tmp and trusts the content without checking ownership.
Calling it a "systemd cleanup timing flaw" is inaccurate. This is entirely the fault of snap-confine.
Any errant application can expose this glaring systemd flaw
There is no systemd flaw here.
snap-confine creates /tmp/.snap owned by root.
systemd-tmpfiles can delete this directory because it also has root privileges. It will do so if the directory is inactive for, by default, 30 days. Files can be excluded from this by adding a .conf file to /etc/tmpfiles.d/, snap-confine does not do this.
Because the files are not excluded they will be deleted. systemd-tmpfiles can do this because it is running as root.
Once they are deleted a USER can recreate /tmp/.snap with malicious code.
snap-confine never verifies that the directory is owned by root, and performs its security checks before its privileged file operations, creating a race window. Because snap-confine is setuid root, it then bind-mounts files from the attacker-controlled /tmp/.snap into the snap sandbox's filesystem, allowing an attacker to execute arbitrary code as root.
What is the systemd-tmpfiles flaw? It does exactly what it is supposed to do, and it provides a means to exclude directories from its process. snap doesn't configure systemd to ignore the directories and it doesn't perform appropriate checks on the directory's ownership.
Exactly. systemd has a glaring security hole that had to be kludged. As tge OP I posted the article to warn non technical users of the danger but systemd defenders league are predictably blind to any possible flaw in their golden calf and cannot resist the temptation to rush to battle. yawn
What is the security hole in systemd?
You haven't answered this.
systemd-tmpfiles exists to delete inactive files in /tmp. That's not a security flaw, that's system maintenance. It's the documented purpose of systemd-tmpfiles and it performs exactly was documented.
The security hole is in snap-confine which does not verify that its own directory is owned by root before mounting it AS ROOT. That's the security hole.
So, again, what is the security hole in systemd?
If you don't have an answer then just say so. Resorting to name calling and trying to frame this as if I'm the irrational one is absurd.
When I need to create scratch files I usually operate in /tmp. Almost all directories there that I saw were using randomized paths (e.g. UUIDs). I guess this is to prevent problems mentioned in the article. So, I believe this would be a vulnerability of snap, not systemd.
I use Fedora where /tmp is created as tmpfs, which lives in RAM and is cleared when the system is shut down. I wonder what's the benefit of Ubuntu's approach.
If you think about it for even a minute this is still a glaring cve in systemd, exposed in this case, by misbehaving snapd. systemd still needed to be patched and so did snapd.
Ubuntu configures systemd-tmpfiles to delete a snapd tmp dir, snapd runs setuid root and blindly trusts/executes files from a tmp dir it does not manage the life cycle of. Where is the flaw in systemd here?
Read
I don't see how systemd is in wrong here. Curious, what would you change about it?
Stop using it.
No Dylan, don't bother fixing this shit, go straight for the boot licking commit.
go straight for the
/bootlicking commit
FTFY
from adding an age field to fixing snap, the guy does it all!
how would i know if Kubuntu 25.10 is affected (based on ubuntu)?
i guess this means yes?
command 'snap' from deb snapd (2.73+ubuntu25.10.1)
as it is lower than the version mentioned in the article "Upstream snapd: versions prior to 2.75"
now the question is how do i force an update on that thing?
sudo apt upgrade did not include an update for snapd:
Upgrading:
bpftool linux-headers-generic linux-libc-dev linux-tools-common
linux-generic linux-image-generic linux-perfInstalling dependencies:
linux-headers-6.17.0-20 linux-image-6.17.0-20-generic linux-tools-6.17.0-20
linux-headers-6.17.0-20-generic linux-modules-6.17.0-20-generic linux-tools-6.17.0-20-genericSuggested packages:
linux-toolsNot upgrading yet due to phasing:
fwupd libfwupd3Summary:
Upgrading: 7, Installing: 6, Removing: 0, Not Upgrading: 2
Download size: 212 MB
Space needed: 421 MB / 417 GB available
edit:
i tried sudo apt install snapd but it returned:
snapd is already the newest version (2.73+ubuntu25.10.1).
snapd set to manually installed.
Switch to Devuan and have a peaceful life I guess.
Cheers!
Snap back to reality
"Systemd is built badly by weaponized dunning-kruger" -- pros
exploit [happens]
World: surprised pikachu