Yes, it does. The attacker knows that snap is going to look in /tmp/.snap/, inst... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		SoftTalker 30 days ago \| parent \| context \| favorite \| on: CVE-2026-3888: Important Snap Flaw Enables Local P... Yes, it does. The attacker knows that snap is going to look in /tmp/.snap/, instead of e.g. /tmp/.snap.FjBz8oEWaU/ (which isn't guessable in advance) so when /tmp is flushed, he just has to recreate /tmp/.snap/ before snap-confine does, and drop his payload there.

AgentME 30 days ago [–]

If the directory had a random name, the attacker could see that name and recreate it after /tmp is flushed.

lathiat 29 days ago | [–]

Only if you reuse the same random name. Which would be silly.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact