this post was submitted on 01 Apr 2026

53 points (77.9% liked)

Linux

64272 readers

564 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Timing Flaw in systemd Cleanup Enables Root Privilege Escalation (cybersecurity88.com)

submitted 2 days ago by ChrisG@lemmy.world to c/linux@lemmy.ml

22 comments fedilink hide all child comments

Yet another critical vulnerability in systemd, this time involving snapd. Ubuntu folk are affected.

"A serious security issue has been discovered in Ubuntu, and it is gaining attention in the cybersecurity community. The vulnerability is identified as CVE-2026-3888 and mainly affects Ubuntu Desktop systems from version 24.04 onwards. This flaw is dangerous because it allows an attacker with limited access to gain full root privileges. Root access means complete control over the entire system."

top 22 comments

sorted by: hot top controversial new old

[–] FauxLiving@lemmy.world 17 points 1 day ago* (last edited 1 day ago)

This is not a systemd flaw. This is a snap bug.

e:f;b

[–] eksb@programming.dev 39 points 2 days ago* (last edited 2 days ago) (2 children)

Yet another critical vulnerability in systemd

This is a critical vulnerability in snapd, not systemd. It sounds like it could also be exploited if something other than systemd deleted the files in /tmp/. Or if /tmp/ was not mounted.

[–] Cris_Color@piefed.world 1 points 2 days ago (1 children)

Is it possible they mean both snapd the program and sysd the project have a vulnerability? Is snapd built by sysd, or more of like a ubuntu extension of the sysd ecosystem that they've built themselves?

[–] unique_hemp@discuss.tchncs.de 1 points 1 day ago

Snap is Canonical's project AFAIK

[–] mactan@lemmy.ml 16 points 2 days ago

snap

well there's your problem

[–] eleijeep@piefed.social 21 points 2 days ago (2 children)

Not a very good article. The original write-up (not linked anywhere in the article) is here: https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root

They also mention something else that's interesting at the bottom of the write-up:

Secondary Finding: Vulnerability in Ubuntu 25.10 uutils Coreutils

In a proactive security effort prior to the release of Ubuntu Desktop 25.10, the Qualys Threat Research Unit assisted the Ubuntu Security Team in reviewing the uutils coreutils package (a Rust rewrite of standard GNU utilities).

A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions (specifically /etc/cron.daily/apport). Successful exploitation could lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.

The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10. The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository.

[–] ozymandias117@lemmy.world 7 points 2 days ago (1 children)

Wait. So the flaw was in uutils, and this article reported it as a systemd bug...?

[–] Cyber@feddit.uk 4 points 2 days ago

And, even further: a rust implementation vulnerability too?

(Waits for C vs Rust war to start...)

[–] ChrisG@lemmy.world -1 points 2 days ago

Yes, thank you for the extra info!

[–] Skullgrid@lemmy.world 11 points 2 days ago (2 children)

No Dylan, don't bother fixing this shit, go straight for the boot licking commit.

[–] Exec@pawb.social 12 points 2 days ago

go straight for the /boot licking commit

FTFY

[–] giacomo@lemmy.dbzer0.com 1 points 2 days ago

from adding an age field to fixing snap, the guy does it all!

[–] AcornTickler@sh.itjust.works 7 points 2 days ago (1 children)

When I need to create scratch files I usually operate in /tmp. Almost all directories there that I saw were using randomized paths (e.g. UUIDs). I guess this is to prevent problems mentioned in the article. So, I believe this would be a vulnerability of snap, not systemd.

I use Fedora where /tmp is created as tmpfs, which lives in RAM and is cleared when the system is shut down. I wonder what's the benefit of Ubuntu's approach.

[–] ChrisG@lemmy.world -4 points 2 days ago (2 children)

If you think about it for even a minute this is still a glaring cve in systemd, exposed in this case, by misbehaving snapd. systemd still needed to be patched and so did snapd.

[–] villainy@lemmy.world 8 points 2 days ago

Ubuntu configures systemd-tmpfiles to delete a snapd tmp dir, snapd runs setuid root and blindly trusts/executes files from a tmp dir it does not manage the life cycle of. Where is the flaw in systemd here?

[–] AcornTickler@sh.itjust.works 3 points 2 days ago* (last edited 2 days ago)

I don't see how systemd is in wrong here. Curious, what would you change about it?

[–] bad1080@piefed.social 2 points 2 days ago* (last edited 2 days ago) (1 children)

how would i know if Kubuntu 25.10 is affected (based on ubuntu)?
i guess this means yes?
command 'snap' from deb snapd (2.73+ubuntu25.10.1)
as it is lower than the version mentioned in the article "Upstream snapd: versions prior to 2.75"

now the question is how do i force an update on that thing?
sudo apt upgrade did not include an update for snapd:

Upgrading:
bpftool linux-headers-generic linux-libc-dev linux-tools-common
linux-generic linux-image-generic linux-perf

Installing dependencies:
linux-headers-6.17.0-20 linux-image-6.17.0-20-generic linux-tools-6.17.0-20
linux-headers-6.17.0-20-generic linux-modules-6.17.0-20-generic linux-tools-6.17.0-20-generic

Suggested packages:
linux-tools

Not upgrading yet due to phasing:
fwupd libfwupd3

Summary:
Upgrading: 7, Installing: 6, Removing: 0, Not Upgrading: 2
Download size: 212 MB
Space needed: 421 MB / 417 GB available

edit:
i tried sudo apt install snapd but it returned:

snapd is already the newest version (2.73+ubuntu25.10.1).
snapd set to manually installed.

edit2:
or am i save because of this?:

Ubuntu 25.10 LTS: snapd versions prior to 2.73+ubuntu25.10.1

[–] ChrisG@lemmy.world 1 points 2 days ago

Switch to Devuan and have a peaceful life I guess.

Cheers!

[–] corsicanguppy@lemmy.ca 0 points 2 days ago* (last edited 2 days ago)

"Systemd is built badly by weaponized dunning-kruger" -- pros

exploit [happens]

World: surprised pikachu

[–] tomatoely@sh.itjust.works 0 points 2 days ago

Snap back to reality