5.5
/ 10
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel's __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating in public, and administrators should apply vendor kernel updates without delay.
## **What Was Found**
During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid.
The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets:
* **chage** (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.
* **ssh-keysign** (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04.
* **pkexec** (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44.
* **accounts-daemon** (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44.
These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging.
## **Understanding the Potential Impact, Severity and Scope**
CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts.
## **Coordinated Disclosure and Why We Are Publishing Now**
Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination.
A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days.
Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies.
## **Immediate Action**
1. Apply the kernel update from your distribution and follow their guidelines for affected systems so the running kernel reflects the fix. Patched packages are available from Debian, Fedora, and other major vendors.
2. On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes.
3. Interim mitigation where patching must wait: raise kernel.yama.ptrace_scope to 2 (admin-only attach). This blocks the public exploits, since their pidfd_getfd(2) path is gated by __ptrace_may_access().
4. Refer to each affected distribution's security advisory (Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others) for the authoritative fixed versions and any vendor-specific mitigations.
## **Technical Details of the CVE-2026-46333:**
You can find the technical details of this vulnerability at:
https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt
## **Qualys QID Coverage for Detecting CVE-2026-46333:**
Qualys has released the following QIDs listed in the table below with Vulnerability Signatures versions VULNSIGS-2_6_607-2, VULNSIGS-2.6.608-2, VULNSIGS-2.6.607-2, and VULNSIGS-2.6.605-7. Additional QIDs will be released as they become available.
**QID**| **TITLE**
---|---
**387392******| Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-46333)
**6050281**| Red Hat Security Advisory for CVE-2026-46333 (Unfixed Vulnerability)
**6050650******| Red Hat Update for kernel (RHSA-2026:19521)
**6050671**| Red Hat Update for kernel (RHSA-2026:19540)
**944317******| AlmaLinux Security Update for kernel (ALSA-2026:A009)
**944318**| AlmaLinux Security Update for kernel (ALSA-2026:A010)
**944320******| AlmaLinux Security Update for kernel (ALSA-2026:A008)
**6683237**| CloudLinux 8 Security Update for kernel (CLSA-2026:A008)
**6683240******| CloudLinux 9 Security Update for kernel (CLSA-2026:A009)
**762598**| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1909-1)
**762604******| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1907-1)
**762614**| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1908-1)
**762618******| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1904-1)
**6276533**| Debian Security Update for linux (CVE-2026-46333)
**6277424******| Debian Security Update for linux (CVE-2026-46333)
**288719**| Fedora Security Update for kernel (FEDORA-2026-8b4a8d18d2)
**288720******| Fedora Security Update for kernel (FEDORA-2026-03be3dc34b)
## **Acknowledgments**
Qualys thanks the Linux kernel security team, in particular Linus Torvalds, Christian Brauner, Kees Cook, and Oleg Nesterov, for the rapid upstream fix; the distribution security teams, in particular Solar Designer, Sam James, and Salvatore Bonaccorso, who carried the patch downstream under unusually compressed conditions; and the maintainers of the linux-distros and oss-security lists.
## **What Was Found**
During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid.
The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets:
* **chage** (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.
* **ssh-keysign** (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04.
* **pkexec** (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44.
* **accounts-daemon** (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44.
These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging.
## **Understanding the Potential Impact, Severity and Scope**
CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts.
## **Coordinated Disclosure and Why We Are Publishing Now**
Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination.
A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days.
Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies.
## **Immediate Action**
1. Apply the kernel update from your distribution and follow their guidelines for affected systems so the running kernel reflects the fix. Patched packages are available from Debian, Fedora, and other major vendors.
2. On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes.
3. Interim mitigation where patching must wait: raise kernel.yama.ptrace_scope to 2 (admin-only attach). This blocks the public exploits, since their pidfd_getfd(2) path is gated by __ptrace_may_access().
4. Refer to each affected distribution's security advisory (Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others) for the authoritative fixed versions and any vendor-specific mitigations.
## **Technical Details of the CVE-2026-46333:**
You can find the technical details of this vulnerability at:
https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt
## **Qualys QID Coverage for Detecting CVE-2026-46333:**
Qualys has released the following QIDs listed in the table below with Vulnerability Signatures versions VULNSIGS-2_6_607-2, VULNSIGS-2.6.608-2, VULNSIGS-2.6.607-2, and VULNSIGS-2.6.605-7. Additional QIDs will be released as they become available.
**QID**| **TITLE**
---|---
**387392******| Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-46333)
**6050281**| Red Hat Security Advisory for CVE-2026-46333 (Unfixed Vulnerability)
**6050650******| Red Hat Update for kernel (RHSA-2026:19521)
**6050671**| Red Hat Update for kernel (RHSA-2026:19540)
**944317******| AlmaLinux Security Update for kernel (ALSA-2026:A009)
**944318**| AlmaLinux Security Update for kernel (ALSA-2026:A010)
**944320******| AlmaLinux Security Update for kernel (ALSA-2026:A008)
**6683237**| CloudLinux 8 Security Update for kernel (CLSA-2026:A008)
**6683240******| CloudLinux 9 Security Update for kernel (CLSA-2026:A009)
**762598**| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1909-1)
**762604******| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1907-1)
**762614**| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1908-1)
**762618******| SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1904-1)
**6276533**| Debian Security Update for linux (CVE-2026-46333)
**6277424******| Debian Security Update for linux (CVE-2026-46333)
**288719**| Fedora Security Update for kernel (FEDORA-2026-8b4a8d18d2)
**288720******| Fedora Security Update for kernel (FEDORA-2026-03be3dc34b)
## **Acknowledgments**
Qualys thanks the Linux kernel security team, in particular Linus Torvalds, Christian Brauner, Kees Cook, and Oleg Nesterov, for the rapid upstream fix; the distribution security teams, in particular Solar Designer, Sam James, and Salvatore Bonaccorso, who carried the patch downstream under unusually compressed conditions; and the maintainers of the linux-distros and oss-security lists.
Basic Information
ID
QUALYSBLOG:E8F42A538BC8BA714502776CC6736B66
Published
May 20, 2026 at 15:40