Your message dated Wed, 01 Jul 2026 17:48:42 +0000
with message-id <[email protected]>
and subject line Bug#1131120: fixed in snapd 2.76-1
has caused the Debian Bug report #1131120,
regarding snapd: CVE-2026-3888
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1131120: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131120
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: snapd
Version: 2.68.3-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for snapd.

CVE-2026-3888[0]:
| Local privilege escalation in snapd on Linux allows local attackers
| to get root privilege by re-creating snap's private /tmp directory
| when systemd-tmpfiles is configured to automatically clean up this
| directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04
| LTS, 22.04 LTS, and 24.04 LTS.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-3888
    https://www.cve.org/CVERecord?id=CVE-2026-3888
[1] https://www.openwall.com/lists/oss-security/2026/03/17/8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: snapd
Source-Version: 2.76-1
Done: Zygmunt Krynicki <[email protected]>

We believe that the bug you reported is fixed in the latest version of
snapd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zygmunt Krynicki <[email protected]> (supplier of updated snapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Jul 2026 17:30:14 +0000
Source: snapd
Architecture: source
Version: 2.76-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Hudson-Doyle <[email protected]>
Changed-By: Zygmunt Krynicki <[email protected]>
Closes: 1131120
Changes:
 snapd (2.76-1) unstable; urgency=medium
 .
   [ Ernest Lotter ]
   * New upstream release, LP: #2154498
     - assertions: add helper for validating integrity data
     - assertions: drop incorrect/non-standard Ed25519 support
     - confdb: allow only API admin read access to confdb secrets
     - confdb: block concurrent confdb accesses
     - confdb: block concurrent snapctl accesses to configuration
       database
     - confdb: check for ephemeral data when missing save-view hook on
       commit
     - confdb: ignore not-found errors in confdb-schema refreshes
     - confdb: support --wait-for timeouts when accessing confdb
     - core-initrd: add group referenced in udev rules
     - core-initrd: add libbpf dependency to initramfs
     - core-initrd: add missing libbpf dependency in 24.04 packaging
     - core-initrd: ensure audio is a system group
     - core-initrd: fix /boot/uboot mount with u-boot env in dedicated
       partition
     - core-initrd: increase mount burst from 5 to 128 for faster boot
     - core-initrd: sync partition udev rules with the ones in core-base
     - core-initrd: sync with latest upload to snappy-dev PPA
     - core-initrd: synchronize changelogs with latest PPA upload
     - core-initrd: update changelog with latest PPA upload
     - LP: #2150773 core-initrd: add nfnetlink module to fix nf netlink
       socket speed regression (Ubuntu Core only)
     - cross-distro: allow snapd to manipulate systemd unit files in
       SELinux policy
     - cross-distro: FIPS bootstrap and dispatch via snap-fips-dispatch
     - desktop: fix common ID selection with multiple desktop plugs
     - FDE: allow user mode on core in secboot TPM handling
     - FDE: bump go-efilib dependency
     - FDE: bump secboot to rev cdcb64992e54 for FDE fixes
     - FDE: deprecate check-pin/passphrase API endpoints
     - LP: #2147606 FDE: give inactive state on classic
     - FDE: improve tracing for OP-TEE probing
     - FDE: move auto-repair logic to overlord/fdestate and provide state
     - FDE: update secboot for TPM/FDE bug fixes including Intel HAP and
       recovery key parsing
     - FDE: use any primary key matching digest when adding a keyslot
     - FDE: use ignore action for preinstall check in VM
     - interfaces: bluez | drop explicit deny send_destination in D-Bus
       configuration
     - interfaces: conditionally deny /proc/self/mountinfo to suppress Go
       1.25+ denials
     - interfaces: custom-device | fix for-device validation panic on
       non-string value
     - interfaces: disallow auto-connect to parallel installs
     - interfaces: docker | make plug implicit on classic systems
     - interfaces: ignore errors in disconnect hooks during explicit snap
       disconnect
     - interfaces: mediatek-accel | add plug interface base declaration
     - interfaces: microceph-support | suppress noisy sudo denial audit
       logs
     - interfaces: podman | add new interface for podman socket access
     - interfaces: pulseaudio | fix security tag syntax inconsistency
     - interfaces: raw-usb | allow USB device enumeration on Fairphone 5
       with NexDock
     - interfaces: restore auto-connections on failed refresh undo
     - LP: #2148544 interfaces: bool-file | support deep SoC sysfs paths
       for LED brightness
     - LP: #2139213 packaging: make Ubuntu 16.04 packaging dep17
       compliant
     - packaging: add cross-distro build script and instructions
     - packaging: add openSUSE 16.0 spread support
     - packaging: Debian build improvements
     - packaging: default openSUSE to /var/lib/snapd/snap and sync from
       downstream
     - packaging: drop transitional packages only for Ubuntu 26.04
       (Resolute)
     - packaging: fix Launchpad FIPS build detection for snapd-fips job
     - packaging: refactor and clean up snapd.mk, standardize test-data
       directories
     - packaging: switch to golang-github-chai2010-gettext-go-dev
     - packaging: update bundled AppArmor 4.1.7 (snapd snap only)
     - prompting: escape paths in prompt constraints
     - prompting: improve API error handling and validation
     - prompting: improve error message when no handler service is
       present
     - prompting: re-enable the prompting notice backend
     - prompting: respond with full user-allowed permission set
     - prompting: validate permissions while unmarshalling
     - remote device management: implement dispatch-mgmt-messages task
       with sequencing support
     - LP: #2125344 snap: avoid empty channel forwarding message
     - LP: #2150683 snap: clarify snap install help text for --classic
       and --devmode
     - LP: #2152908 snap: print complex attributes in snap interface
       --attrs output
     - snap: add run-inhibit hint and inhibit info when a snap is
       disabled
     - snap: allow removing a snap and its base at the same time
     - snap: display detailed component information in snap info
     - snap: extend AlreadyInstalledError to multiple snaps and
       components
     - snap: extend set-quota command options description with accepted
       value formats
     - snap: implement snap delta command for computing snap deltas
     - snap: improve consistency for snap install when some snaps are
       already installed
     - snap: show hint in snap list that a snap has components
     - snap-confine: allow inheriting unix sockets from snaps
     - snap-confine: allow linking to libm in AppArmor profile
     - snap-confine: fix out-of-bounds read in mountinfo parser for
       partial escape sequences
     - snap-confine: harden bpffs mount with nosuid, nodev, noexec flags
     - snap-confine: remove experimental persistent per-user mount
       namespace feature
     - snap-confine: set FD_CLOEXEC on file descriptors returned by BPF
       helpers
     - snap-confine: support transparent_hugepage in AppArmor profile
     - snap-confine: use strchr after NUL-terminating in infofile parser
     - snap-update-ns: switch to a multi-pass process for constructing
       and updating mount namespaces
     - RemoveMountUnitFile now unmounts even if mount unit file is
       missing
     - Add explicit mount phase during single-reboot refresh to fix undo
       of kernel refreshes
     - Add security audit logging subsystem
     - Add base prioritized AppArmmor snippets for strictly confined or
       jailed snaps
     - Allow openshell snap to use experimental daemon-scope: user
     - Allow configuring mount unit options based on filesystem type
     - Allow equals signs in uevent values in netlink parser
     - Also bind-mount directories modified by kmod backend during
       preseed
     - Clean up potentially corrupted files during snap download undo
     - Complete the bootloader environment implementation
     - Copy integrity data files during snap install
     - Create hook for seed refresh mode
     - Create removal tasks for old seed-refresh seeds
     - Dispatch systemctl commands asynchronously when calling Stop()
     - Ensure /tmp/.X11-unix created inside mount namespace has correct
       permissions
     - Ensure exclusive changes conflict with refresh/revert
     - Ensure existing snap confinement flags are not dropped when
       installing or removing components
     - Export ubuntu-boot-state filename constant from bootloader package
     - Fix duplicate removal of apps under $SNAP_MOUNT_DIR/bin
     - Fix integration between prerequisites task and seed-refresh mode
     - Fix split-refresh overwriting provided lane
     - Fix use of umask in GetListener for socket activation
     - Ignore net.ErrClosed during daemon shutdown
     - Implement ResolveValidationSetsEnforcementError in terms of one
       call
     - Improve snapctl install consistency when components are already
       installed
     - Inject seed creation tasks into snap refresh flow
     - Introduce system options for custom certificates on Ubuntu Core
     - Keep idle services with activation units stopped on reload
     - List snap components in snap-debug-info via debug-tools
     - Look at gadget.yaml instead of marker file to determine ubootpart
       usage
     - LP: #1966067 Skip redundant xdg-settings confirmation prompt when
       setting is already correct
     - LP: #2110368 Fix component installation for private snaps via
       snapctl
     - LP: #2110368 Fix download of private snap components by setting
       UserID
     - LP: #2144666 Fix mount namespace updates with synthetic bind
       mounts on same target paths
     - LP: #2146337 Improve handling of failed downloads and retain
       partial files for resume
     - LP: #2147207 Fix snap enable/disable cycle forgetting components
     - Make run-inhibit hint for kill-snap-apps task based on kill reason
     - Merge content-provider prerequisite updates into seed-refresh
     - Move SortServices into Backend.StartServices
     - Move state to client change conversion to ctlcmd package
     - Omit misleading "try to refresh snapd" suggestion for ISA-related
       errors
     - Only create link-component tasks when needed during refresh to
       existing revision
     - Reconfigure piboot bootloader on gadget refreshes to preserve
       os_prefix
     - Reduce the number of AppArmor profile regenerations during snap
       operations
     - Refactor seed-refresh ownership to devicestate
     - Regenerate certificate database on remodels
     - Remove obsolete FIXME comment in VersionCompare
     - Remove unused GenerateDmVerityData helper from snap/integrity
     - Rename and document error type for ISA assumes flags
     - Restart snapd from daemon.Stop to improve restart reliability
     - Restart stopped services on error in stopSnapServices for
       transactionality
     - Simplify certificate-db updates on model-base refresh/installs
     - Support racing Loop and Stop correctly in overlord
     - Support sending file descriptors to systemd via sd_notify
     - Unroll CPU-heavy recursive function in snap state handlers
     - Update seccomp syscalls list for kernel 7.1.0
     - Use change ID to prevent nested seed-refresh spawned by
       prerequisites
     - Validate content interface plug target directories exist for
       core26+ snaps
     - Validate layout paths exist in snap tree for snaps using bare or
       core26+
 .
   [ Zygmunt Krynicki ]
   * Snapd 2.76 fixes CVE-2026-3888 (Closes: #1131120)
Checksums-Sha1:
 d9a1afd314e57305e10afbed086f0c8ed3f5cab6 3516 snapd_2.76-1.dsc
 b514339d8e99bb5cf93f0c295b009d4a0cbb47b6 8315284 snapd_2.76.orig.tar.xz
 189d477190abd9486dd4e2db4a83950018df42a1 155828 snapd_2.76-1.debian.tar.xz
 ec62eee4f266bec3cbc0b31e51aa0c231dc2d7c7 14057 snapd_2.76-1_source.buildinfo
Checksums-Sha256:
 8750dac543e1c499a2bc1cf36a3571c6309ade7c9f9c27e24fcb408f116fb56f 3516 
snapd_2.76-1.dsc
 a3cf8db70683e559e62d6e19d98b42fcc832c50f23a1d6d71efbd096fec2d4f4 8315284 
snapd_2.76.orig.tar.xz
 c302f6c896026a5b7ff51c27489c81a6bebec86827cc0aee8cb73900746da82c 155828 
snapd_2.76-1.debian.tar.xz
 ac8316c13c2f21a2623b4e6d2e5eca2d3121ad9f7979f14c3bdae6a0dab82ecd 14057 
snapd_2.76-1_source.buildinfo
Files:
 cede5d252e649b3d917f858daa9eff95 3516 devel optional snapd_2.76-1.dsc
 d656c1fa1576264d9d496827598367a0 8315284 devel optional snapd_2.76.orig.tar.xz
 c4195988840f96b0cbd5ca17893dc33c 155828 devel optional 
snapd_2.76-1.debian.tar.xz
 6d7f9f278723c9736bfa37ebec84cd32 14057 devel optional 
snapd_2.76-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEt2ztm0XK8VV9JxpqKJTpOijGe0cFAmpFTu8UHHprcnluaWNr
aUBnbWFpbC5jb20ACgkQKJTpOijGe0dLig/+IKF5LyYXPhR8CNAs8qTLhlSuPjq3
QqJcMH7opsU2fuYs8TcR2THDBdm+iakN4xUyFvcOeUYkLGDRQkP+kKCCZJ6Xj9th
8zOnnlPcbPjt4gz2RA4l7sjs5nI0LOl8ph2FGkI9K+xC+qdUJ5WQuA0bmg3HIWdm
DKPfgkS8wajhE4mPnzgNUCSFYr7BM6gLEpZ8RPmWuXetsTfDwUgBzClktwkE/8Ee
kCQ4Xt07CNTCEV+lt/9zN5X5Lr1f8+V4IG9XG8eTlr7HxRd9AKpRA7GbkxQCAA4D
YfWYFZEBJ+3nvzqmbbZb9ezhtoAVvPvjyBjS3SbOzSQTWFesrKhi1rkl8yeYBluQ
iiYgzYpOrH8kDsnCrCSmJdboU5OEFE7iw/ZIwkJpNeahYT8q727Y6fPDkxbPA0Nc
zqkiNbiWYZzEGLd/t5oTnjPO3m/QFIyL2AKf4NvODR9a0q20xJZEtXN5ZW1miLpe
wdvs9OvBUadLG5KlvhQL1uIjcYkLf2LdnJE/qpmhelTGQ/wZaWYyC8lNblxC4Cr0
X1E3w83qqBv8rIntQeQzodAubzqTauzh/KTPspRWOsZYrC+o6cllaYDbKbiNz2N5
69zfPHFCf8lYpv9AGbSTU+GzU2vX2Zctj5lAt9m6eheka3+kz5fFhhyygF3RNfax
7Ayo+2AlFHl+slA=
=DUwi
-----END PGP SIGNATURE-----

Attachment: pgpSbUytURnvF.pgp
Description: PGP signature


--- End Message ---

Reply via email to