Ubuntu has patched a local privilege-escalation flaw tied to Snap that could let an unprivileged local user gain root access on affected systems. Qualys disclosed the vulnerability this month, saying it stems from the interaction between two trusted system components: systemd-tmpfiles and snap-confine.
Qualys said the main exposure affects default installations of Ubuntu Desktop 24.04 and later, where the vulnerable Snap behavior is present out of the box.
Legacy Ubuntu releases from 16.04 through 22.04 LTS are not vulnerable in default configurations, Qualys said, but should still be patched where non-default setups may mimic newer behavior.
Patches are available, and organizations running affected Ubuntu systems should apply them promptly.
How the Exploit Works
The flaw arises because one trusted Ubuntu component removes a temporary directory that another later assumes is safe to use with elevated privileges. systemd-tmpfiles is a housekeeping service that creates and removes temporary directories and clears out stale files under locations such as /tmp. snap-confine is the privileged Snap component that builds the sandbox environment before a Snap application runs.
According to Qualys, the issue arises when systemd-tmpfiles deletes /tmp/.snap after it ages out. On Ubuntu 24.04, that cleanup window is 30 days. On later releases, it is 10 days. Once the directory is removed, a local attacker can recreate /tmp/.snap and place content there before snap-confine uses the path again.
When the next Snap sandbox is initialized, snap-confine bind-mounts that attacker-controlled content as root. That allows the attacker to influence a privileged operation in a way that can lead to root compromise.
Why Defenders Should Care
The bug requires local access, making it especially relevant in shared systems, enterprise workstations, developer machines, university labs and other multi-user environments. “Organizations should treat local privilege escalation as a serious post-compromise risk because it can turn a minor breach, an exposed user account, or a container foothold into complete host takeover and durable persistence,” Saeed Abbasi, senior manager of security research at Qualys Threat Research Unit, said in emailed comments.
The exploit also depends on a cleanup cycle that can take 10 to 30 days, making it more likely to matter in persistence or delayed escalation scenarios than in fast-moving opportunistic attacks.
What Defenders Should Do
Canonical published fixes for snapd on March 17, and Ubuntu said releases from 16.04 LTS through 25.10 received updates or related hardening, with default exposure centered on newer Ubuntu Desktop versions.
Organizations should review their Ubuntu fleet, identify systems running Snap, and verify that the relevant updates have been applied, especially on desktop and workstation systems.
Separate Finding in Ubuntu 25.10
Separately, Qualys said its review of Ubuntu 25.10 uncovered a race condition involving the Rust-based uutils/coreutils package, specifically the rm utility. That issue was distinct from the Snap vulnerability and was addressed before release.
