Potential snap-confine Privilege Escalation via CVE-2026-3888

  1[metadata]
  2creation_date = "2026/03/18"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects non-root file creation within "/tmp/.snap" or its host backing path
 11"/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888.
 12In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as
 13root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this
 14directory after it becomes stale, allowing an unprivileged user to recreate it and populate
 15attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount
 16or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files
 17that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories
 18should only be performed by root, non-root file activity in these locations is highly suspicious. This
 19detection helps identify early stages of the exploit before privilege escalation is completed.
 20"""
 21from = "now-9m"
 22index = ["logs-endpoint.events.process*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Potential snap-confine Privilege Escalation via CVE-2026-3888"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Potential snap-confine Privilege Escalation via CVE-2026-3888
 32
 33This rule flags non-root creation of files under temporary snap sandbox directories that snap-confine should prepare as root, which can expose an attempt to abuse CVE-2026-3888 for local root access. A common pattern is an unprivileged user waiting for stale `/tmp/.snap` content to be removed, recreating that path, and dropping crafted libraries or configuration so the next snap launch pulls attacker-controlled files into the sandbox setup and elevates privileges.
 34
 35### Possible investigation steps
 36
 37- Review the originating user's recent terminal, SSH, sudo, and scheduled-task activity to determine whether the file creation was part of legitimate administration or an unexpected local execution chain.
 38- Inspect the affected `.snap` directory contents for crafted symlinks, shared libraries, configuration files, or path redirection artifacts that could be consumed during snap sandbox initialization.
 39- Correlate the activity with nearby launches of `snap`, `snap-confine`, `snapd`, or installed snap applications and determine whether any such execution was followed by a new root-level process tree.
 40- Look for evidence that `systemd-tmpfiles` or another cleanup mechanism removed the stale directory shortly before it was recreated by the unprivileged account, as this timing strongly supports CVE-2026-3888 exploitation behavior.
 41- Examine post-alert host activity for signs of successful escalation such as unexpected root-owned file changes, new setuid binaries, persistence creation, credential access, or security control tampering.
 42
 43### False positive analysis
 44
 45- A user troubleshooting a failing snap application may manually create or modify files under `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap`; verify by reviewing the parent shell/process lineage and nearby `snap` or `snap-confine` executions to confirm it was interactive testing with no follow-on root activity.
 46- Telemetry can occasionally attribute file creation to the invoking non-root user during normal snap sandbox initialization even though the privileged helper completes the action; verify by checking whether related `snap` or `snap-confine` events occurred at the same time and whether the final directory and files are owned by root.
 47
 48### Response and remediation
 49
 50- Isolate the affected Linux host from the network, stop any active `snap`, `snap-confine`, or suspicious root shell processes tied to the originating user, and preserve the contents of `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap` for evidence.
 51- Remove attacker-controlled files, symlinks, shared libraries, and configuration placed in the recreated `.snap` paths, then delete any persistence added after the event such as unauthorized `systemd` units, `/etc/cron*` entries, `~/.ssh/authorized_keys` changes, sudoers modifications, new local accounts, or unexpected setuid-root binaries.
 52- Escalate immediately to incident response and treat the host as fully compromised if you confirm a root-owned process tree descending from the unprivileged user, root-level file changes outside the temporary snap path, or tampering with `/etc/ld.so.preload`, PAM modules, or endpoint security agents.
 53- Restore the host to a known-good state by rebuilding or reimaging it when privilege escalation cannot be conclusively ruled out, or otherwise replace modified system files from trusted packages, rotate credentials exposed on the system, and verify correct root ownership and permissions on snap temporary directories before reconnecting it.
 54- Harden the environment by applying the vendor fix for CVE-2026-3888, updating `snapd` and related Ubuntu packages, restricting unnecessary local shell access, and increasing monitoring for non-root creation of files under `/tmp/.snap` and `/tmp/snap-private-tmp/*/tmp/.snap`.
 55"""
 56references = [
 57    "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root",
 58    "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt"
 59]
 60risk_score = 73
 61rule_id = "44cb1d8a-1922-4fc0-a00f-36c1caf57393"
 62setup = """## Setup
 63
 64This rule requires data coming in from Elastic Defend.
 65
 66### Elastic Defend Integration Setup
 67Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 68
 69#### Prerequisite Requirements:
 70- Fleet is required for Elastic Defend.
 71- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 72
 73#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 74- Go to the Kibana home page and click "Add integrations".
 75- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 76- Click "Add Elastic Defend".
 77- Configure the integration name and optionally add a description.
 78- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 79- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 80- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 81- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 82For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 83- Click "Save and Continue".
 84- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 85For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 86"""
 87severity = "high"
 88tags = [
 89    "Domain: Endpoint",
 90    "OS: Linux",
 91    "Use Case: Threat Detection",
 92    "Use Case: Vulnerability",
 93    "Tactic: Privilege Escalation",
 94    "Data Source: Elastic Defend",
 95    "Resources: Investigation Guide",
 96]
 97timestamp_override = "event.ingested"
 98type = "eql"
 99query = '''
100file where host.os.type == "linux" and event.action == "creation" and
101file.path like ("/tmp/.snap*", "/tmp/snap-private-tmp/*/tmp/.snap*") and
102user.id != "0"
103'''
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1068"
110name = "Exploitation for Privilege Escalation"
111reference = "https://attack.mitre.org/techniques/T1068/"
112
113[rule.threat.tactic]
114id = "TA0004"
115name = "Privilege Escalation"
116reference = "https://attack.mitre.org/tactics/TA0004/"