Summary of "SystemD Root Access Exploit Found, Devuan Team Calls SystemD "Unicorn Sh*t""

Summary — technical points, analysis, and actions

A high-severity local root exploit affecting Ubuntu was disclosed (referenced as CVE‑2026‑3888).
Root cause:
- Ubuntu’s automatic cleanup of old files in /tmp had its policy changed (approximately from ~30 to ~10 days).
- This cleanup can remove a directory used by snap-confine. An attacker can recreate that directory with malicious files which the snap runtime later trusts and loads.
- Because snap-confine runs with elevated privileges, the attack results in arbitrary code execution as root.
Characteristics of the exploit:
- Simple to perform.
- Relies on race/cleanup and trusted-path assumptions rather than complex exploit chaining.

While addressing the above, maintainers discovered another high-severity vulnerability in a Rust-based rewrite of core utilities (the speaker referenced something akin to “pseudo/sudo”).
That bug was patched prior to public disclosure.
The speaker framed these issues as part of a broader pattern: rewriting long-standing, well-tested tools and substantially increasing system complexity often expands the attack surface and produces more high-severity bugs.

Criticism focused on the complexity of the modern Linux stack (systemd, snap, etc.):
- Large, multi-feature components and many layers running with root privileges increase risk compared to small single-purpose tools.
- Rewriting trusted code in new languages and adding privileged layers is described as creating an “almost perfect storm” for vulnerabilities.
Satirical remarks noted feature bloat in systemd (example: hypothetical “age verification” and other unrelated features being bundled).

Devuan (a Debian derivative that avoids systemd) posted a mocking message about the systemd-related vulnerability.
Devuan’s founder reportedly said:
- Devuan removed machine-id in 2019.
- They will remove any “age-verification” code they inherit from upstream — an explicit policy to strip such features.
The speaker is tracking which projects plan to implement or refuse “age verification” (mentions GNOME, freedesktop, D‑Bus, Debian, Ubuntu as being involved in those conversations).

XLibre (an open-source X server) reportedly told the speaker they will not add age-verification functionality — cited as an example of a core project resisting unrelated feature creep.

The speaker maintains a running list at luk.com of:
- Projects confirmed to implement age verification.
- Projects opposed to it.
The speaker will update/follow up on Devuan’s stance.
Mentioned community/subscription items (Lunduke Journal) but no additional technical guidance.

Systems using snap and Ubuntu should:
- Monitor for updates/patches related to CVE‑2026‑3888 and apply them promptly.
Longer-term mitigations and design recommendations:
- Reduce privileged monolithic components.
- Minimize privileged runtime code.
- Limit trusted-search paths and avoid relying on mutable/externally cleaned directories for privileged services.

Bryan Lunduke (speaker; runs Lunduke Journal and luk.com)
Devuan project / Devuan founder (Devuan.org, social posts)
Cybersecurity researcher/account referenced as “cyberc8” (provided exploit details)
Affected components/projects: Ubuntu, systemd, snap / snap-confine, Rust rewrites of coreutils (unnamed utility), XLibre, upstream projects (Debian, GNOME, freedesktop, D‑Bus)