If you have ever tried to install an application on Ubuntu and found it missing from the APT repository, chances are it is available as a snap package instead. Knowing how to install and use snapd on Ubuntu 26.04 LTS is one of the most practical skills any Linux user or sysadmin can develop in 2026. This guide walks you through every step, from verifying whether snapd is already running on your system to managing packages, controlling auto-updates, auditing security, and fixing the errors that trip up most users.

Ubuntu 26.04 LTS, codenamed “(Resolute Raccoon)” ships with snapd pre-installed on the standard desktop ISO. However, minimal server installs, community flavors like Ubuntu MATE, and custom cloud images often omit it entirely. This tutorial covers both scenarios. Whether you are provisioning a fresh VPS or just getting familiar with snap on your local machine, everything you need is right here.

One more reason this guide is especially relevant right now: in March 2026, the Qualys Threat Research Unit disclosed CVE-2026-3888, a local privilege escalation vulnerability in snapd that affects Ubuntu 24.04, 25.10, and 26.04 dev builds. Running an unpatched snapd version on Ubuntu 26.04 allows a local attacker to gain full root access without any user interaction. The security section in this article tells you exactly how to check and fix that.

Prerequisites

Before running any command in this guide, confirm the following:

• Operating system: Ubuntu 26.04 LTS (Resolute Raccoon), desktop or server
• User account: A non-root user with sudo privileges
• Internet connection: Required for downloading from the Snap Store
• Terminal access: Either a local terminal or SSH access for remote servers
• Ubuntu version confirmed: Run lsb_release -a before proceeding

If your output shows Release: 26.04, you are in the right place. Any other version means some commands in this guide may behave differently.

Step 1: Update Your System Before Any Installation

Always run a full system update before installing new packages. This is not optional boilerplate advice. On Ubuntu 26.04, skipping this step could mean you install snapd and immediately expose your system to CVE-2026-3888, the local privilege escalation flaw patched in snapd 2.74.1+ubuntu26.04.1.

sudo apt update && sudo apt upgrade -y

What this does: apt update refreshes the local package index against the Ubuntu repositories. apt upgrade -y applies all available updates, including the snapd security patch, without asking for confirmation.

Why this matters: The APT package cache on a freshly provisioned server can be days or weeks behind the current repository. Running upgrade first ensures you install the patched version of snapd from the very beginning, not a vulnerable one that you then have to patch again.

Expected output:

Hit:1 http://archive.ubuntu.com/ubuntu questing InRelease
...
Reading package lists... Done
Building dependency tree... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not changed.

If you see packages upgraded in that last line, good. That means your system just received pending security fixes.

Step 2: Check If Snapd Is Already Installed

On Ubuntu 26.04 LTS, snapd ships pre-installed on the standard desktop ISO. Installing it again on a system where it already exists wastes time and can reset configuration files. Check first.

snap version

What this does: Queries the snap CLI tool and the running snapd daemon for their current version numbers.

Expected output if snapd is installed:

snap    2.74.1+ubuntu26.04.1
snapd   2.74.1+ubuntu26.04.1
series  16
ubuntu  26.04
kernel  6.14.0-15-generic

Expected output if snapd is not installed:

Command 'snap' not found, but can be installed with:
sudo apt install snapd

If the command returns a version number, jump ahead to Step 4. If it returns command not found, continue with Step 3.

You can also check whether the snapd service exists at all:

systemctl status snapd

If the output says Unit snapd.service could not be found, snapd is not installed. If it shows active (running), your daemon is already up.

Step 3: Install Snapd via APT

Installing snapd on Ubuntu 26.04 uses the standard APT package manager. This step applies to server installs, minimal Ubuntu installs, and flavors like Ubuntu MATE or Ubuntu Studio that ship without snap by default.

sudo apt install snapd -y

What this does: Downloads and installs the snapd package, which includes the snapd daemon, the snap CLI tool, and the snap-confine binary that builds and enforces snap sandboxes.

Why -y matters: The -y flag suppresses the confirmation prompt. On a server managed through automation scripts, that prompt would block the script indefinitely. In an interactive session, it just saves you a keystroke, though you can skip it if you prefer to review before confirming.

After the install completes, verify the snapd version matches the patched release:

snap version

Confirm the snapd line shows 2.74.1+ubuntu26.04.1 or later. If it shows anything lower, run sudo apt upgrade snapd immediately to apply the CVE-2026-3888 patch.

Step 4: Enable and Start the Snapd Service

Installing the snapd package does not always mean the daemon starts automatically, especially on server installs. You need to explicitly enable and start both the snapd service and the snapd socket.

sudo systemctl enable --now snapd
sudo systemctl enable --now snapd.socket

What enable --now does: enable tells systemd to start this service automatically on every future boot. The --now flag starts it immediately in the current session, so you do not have to reboot before using snap commands.

Why the socket matters: The snapd.socket is a systemd socket unit that activates snapd on demand when the snap CLI sends a command. Without it, snap commands either hang indefinitely or return connection errors even though the daemon is technically installed.

Verify both are active:

sudo systemctl status snapd
sudo systemctl status snapd.socket

Look for Active: active (running) in the snapd output and Active: active (listening) in the socket output. If either shows inactive or failed, the troubleshooting section covers what to do.

One more step specific to Ubuntu 26.04: create the /snap symlink if it does not exist. Some minimal installs omit it:

sudo ln -s /var/lib/snapd/snap /snap

Why this symlink exists: Snap applications mount their read-only squashfs images under /snap/. Without this symlink pointing to the actual snapd data directory, all snap mounts fail silently.

Step 5: Understand Snap Channels and Confinement Before Installing Anything

Most guides skip this section. That is a mistake. Before you install a single snap package, you need to understand two concepts: channels and confinement levels. Getting these wrong on a production server can expose you to unstable builds or give an application unrestricted root-level access to your filesystem.

Snap Channels

Every snap package publishes updates through four risk channels:

• stable — Production-ready. This is the default when you run snap install without specifying a channel.
• candidate — Near-final testing. Stable in practice but not officially signed off.
• beta — Feature-complete but potentially buggy.
• edge — Latest commits from the development branch. Expect breakage.

On Ubuntu 26.04, Canonical’s policy requires snaps bundled with the OS to track the stable risk channel. Always verify which channel a snap is tracking after installation:

snap info vlc

Look for the tracking field in the output. If it shows latest/stable, you are on the right track.

Snap Confinement Levels

Confinement is snapd’s security model. It determines what parts of your system a snap can access.

• Strict — The default and most secure level. The snap runs inside a sandbox enforced by AppArmor profiles, Seccomp syscall filters, and private mount namespaces. It can only access resources explicitly granted through snap interfaces.
• Classic — No sandbox. The snap runs with the full privileges of the invoking user, just like a .deb package installed with APT. VS Code, Slack, and IntelliJ IDEA all use classic confinement.
• Devmode — Developer testing only. Behaves like strict but logs violations instead of blocking them. Never use this in production.

The critical rule: Before installing any snap, run snap info <package> and check the confinement field. If it says classic, you are installing software with unrestricted filesystem access. That is your informed choice to make, but make it intentionally.

Step 6: Install and Use Snapd on Ubuntu 26.04 LTS to Manage Packages

Now you are ready to install and use snapd on Ubuntu 26.04 LTS for real package management. This section covers the four core operations you will use every day.

Search for a Snap Package

snap find "media player"
snap info vlc

snap find queries the Snap Store and returns matching packages with publisher names and version numbers. snap info gives you the full detail view: available channels, confinement level, download size, and whether the publisher has a verified badge.

Always check the publisher verification status. A green checkmark (✓) in the output means Canonical or a verified official publisher signed the snap. An unverified publisher is a yellow flag, especially for tools that request broad interface access.

Install a Snap Package

sudo snap install vlc
sudo snap install hello-world
sudo snap install code --classic

The first two commands install strictly confined snaps. The third installs VS Code with classic confinement, which is why it requires the --classic flag. Without that flag, snapd refuses the installation and returns:

error: This revision of snap "code" was published using classic confinement
       and thus may perform arbitrary system changes outside of the security
       sandbox that snaps are usually confined to. If you understand and
       accept this, re-run the command including --classic.

This forced acknowledgment is intentional. Canonical designed it so you cannot accidentally install an unconfined application.

After installation, confirm it worked:

snap list

Expected output:

Name        Version   Rev    Tracking       Publisher   Notes
code        1.89.1    184    latest/stable  vscode✓     classic
vlc         3.0.21    3876   latest/stable  videolan✓   -

The Notes column shows classic for VS Code and a dash for strictly confined snaps.

Update Snap Packages

snapd checks for updates four times per day by default and applies them automatically. To trigger a manual update:

sudo snap refresh
sudo snap refresh vlc
sudo snap refresh --list

snap refresh --list is the most useful command for sysadmins. It shows pending updates without applying them. Use it during change control reviews before allowing updates to go through in production.

After a refresh, snapd keeps the previous revision on disk. This means you can always roll back:

sudo snap revert vlc

Why rollback works instantly: snapd does not delete the old revision’s squashfs image after an update. It just switches the /snap/<name>/current symlink to point to the new revision. Reverting just moves that symlink back to the previous revision. The whole operation takes under two seconds.

Remove a Snap Package

sudo snap remove vlc
sudo snap remove vlc --purge

snap remove uninstalls the snap and its revisions but keeps the user data directory at ~/snap/vlc/. The --purge flag deletes that directory too. Use --purge when you want a completely clean removal with no leftover configuration.

Step 7: Control Snap Auto-Update Behavior

Automatic updates are a double-edged feature. On a desktop, they are convenient. On a production server, they can trigger unexpected application restarts at any hour. Set a dedicated refresh window:

sudo snap set system refresh.timer=02:00-04:00

What this does: Restricts all automatic snap updates to the two-hour window between 2:00 AM and 4:00 AM, when your server traffic is likely at its lowest.

To pause updates entirely during a change freeze:

sudo snap set system refresh.hold=72h

This delays all pending snap updates by 72 hours. After that window expires, snapd resumes normal update checks. You can extend the hold, but snapd enforces a maximum hold period of 90 days before it forces an update regardless.

Why NOT to mask the snapd service: Some tutorials suggest running sudo systemctl mask snapd to stop all updates. This breaks all snap functionality and can cause errors during apt upgrade if APT tries to update the snapd package itself. Use the refresh timer instead.

Step 8: Audit and Manage Snap Interfaces

Snap interfaces are the access control layer for strictly confined snaps. They control exactly what hardware and system resources a snap can reach: your camera, microphone, home directory, network, USB devices, and more.

View all interfaces connected to an installed snap:

snap connections vlc

Grant a new interface permission:

sudo snap connect vlc:camera

Revoke a permission:

sudo snap disconnect vlc:camera

List all available system-wide interfaces:

snap interfaces

On a headless server, disconnect camera and microphone interfaces from any snap that does not need them. The reduced attack surface matters because AppArmor and Seccomp profiles regenerate dynamically every time you connect or disconnect an interface.

To audit which of your installed snaps use classic confinement and therefore have no sandbox at all, run this one-liner:

for snap in $(snap list | awk 'NR>1 {print $1}'); do
  conf=$(snap info "$snap" 2>/dev/null | grep "^confinement:" | awk '{print $2}')
  if [ "$conf" = "classic" ]; then
    echo "$snap: $conf"
  fi
done

Any snap listed in that output has unrestricted system access. Review each one and confirm it belongs there.

Step 9: Apply the CVE-2026-3888 Security Patch

In March 2026, Qualys disclosed a critical local privilege escalation vulnerability in snapd. The flaw lives inside snap-confine, the privileged binary that constructs the snap sandbox at launch time. By exploiting a race condition between snap-confine and systemd’s tmpfiles.d cleanup routine, a local unprivileged user can gain full root access.

The fix is already in the Ubuntu 26.04 repository. Patch immediately:

sudo apt update && sudo apt upgrade -y

Verify you are on the patched version:

snap version

The snapd line must show 2.74.1+ubuntu26.04.1 or higher to confirm the CVE-2026-3888 fix is in place.

If you cannot update immediately (for example, during a production freeze), restrict login access for any local non-admin users until the patch window opens. The vulnerability requires local user access to exploit, so it is not remotely exploitable.

Troubleshooting Common Snapd Errors on Ubuntu 26.04

Error: snap: command not found

Cause: snapd is not installed, or the /usr/bin/snap path is missing from your shell’s $PATH.

Fix:

sudo apt install snapd -y

Log out and log back in to refresh the PATH. On servers, disconnect and reconnect your SSH session.

Error: snapd.service inactive or failed

Cause: The daemon was not started after installation, or it crashed.

Fix:

sudo systemctl enable --now snapd
sudo systemctl enable --now snapd.socket

Check the logs for the root cause:

journalctl -u snapd --since "10 minutes ago"

Error: too many levels of symbolic links

Cause: The /snap symlink is missing or broken on a minimal install.

Fix:

sudo ln -s /var/lib/snapd/snap /snap

Reboot after creating the symlink.

Error: snap "x" has "classic" confinement (install refused)

Cause: You tried to install a classic snap without the --classic flag.

Fix:

sudo snap install <package> --classic

Read the warning snapd prints before running this. Classic snaps have no sandbox.

Snap App Launches and Immediately Closes

Cause: This is a known Ubuntu 26.04 issue affecting several snaps, including Obsidian. The snap user data directory under ~/snap/<appname>/ becomes corrupted, often after a failed update.

Fix:

sudo snap remove <appname> --purge
sudo snap install <appname>

Removing with --purge clears the corrupted data directory. A fresh install starts with a clean state.

Congratulations! You have successfully installed Snap. Thanks for using this tutorial for installing the Snap on the Ubuntu 26.04 LTS (Resolute Raccoon) system. For additional help or useful information, we recommend ysou check the Snapcraft website.