CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs May 21, 2026

CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path - Qualys

Qualys Archived May 21, 2026 ✓ Full text saved

CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path Qualys

Full text archived locally
✦ AI Summary · Claude Sonnet


    Table of Contents What Was Found Understanding the Potential Impact, Severity, and Scope Coordinated Disclosure and Why We Are Publishing Now Immediate Action Technical Details of the CVE-2026-46333: Acknowledgments Qualys QID Coverage for Detecting CVE-2026-46333: CVE-2026-46333 mitigant information: Discover Vulnerable CVE-2026-46333 Assets with Qualys CyberSecurity Asset Management Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate CVE-2026-46333 Automatically Patch CVE-2026-46333 with Qualys Patch Management The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay. What Was Found During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets: chage (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44. ssh-keysign (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04. pkexec (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44. accounts-daemon (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44.  These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging. Understanding the Potential Impact, Severity, and Scope CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts. Coordinated Disclosure and Why We Are Publishing Now Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination. A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days.  Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies. Immediate Action Apply the kernel update from your distribution and follow their guidelines for affected systems so the running kernel reflects the fix. Patched packages are available from Debian, Fedora, and other major vendors. On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes. Interim mitigation where patching must wait: raise kernel.yama.ptrace_scope to 2 (admin-only attach). This blocks the public exploits, since their pidfd_getfd(2) path is gated by __ptrace_may_access(). Refer to each affected distribution’s security advisory (Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others) for the authoritative fixed versions and any vendor-specific mitigations. Technical Details of the CVE-2026-46333: You can find the technical details of this vulnerability at:   https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt Acknowledgments Qualys thanks the Linux kernel security team, in particular Linus Torvalds, Christian Brauner, Kees Cook, and Oleg Nesterov, for the rapid upstream fix; the distribution security teams, in particular Solar Designer, Sam James, and Salvatore Bonaccorso, who carried the patch downstream under unusually compressed conditions; and the maintainers of the linux-distros and oss-security lists. Qualys QID Coverage for Detecting CVE-2026-46333: Qualys has released the following QIDs listed in the table below with Vulnerability Signatures versions VULNSIGS-2_6_607-2, VULNSIGS-2.6.608-2, VULNSIGS-2.6.607-2, and VULNSIGS-2.6.605-7. Additional QIDs will be released as they become available. QID TITLE 387392 Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-46333) 6050281 Red Hat Security Advisory for CVE-2026-46333 (Unfixed Vulnerability) 6050650 Red Hat Update for kernel (RHSA-2026:19521) 6050671 Red Hat Update for kernel (RHSA-2026:19540) 944317 AlmaLinux Security Update for kernel (ALSA-2026:A009) 944318 AlmaLinux Security Update for kernel (ALSA-2026:A010) 944320 AlmaLinux Security Update for kernel (ALSA-2026:A008) 6683237 CloudLinux 8 Security Update for kernel (CLSA-2026:A008) 6683240 CloudLinux 9 Security Update for kernel (CLSA-2026:A009) 762598 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1909-1) 762604 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1907-1) 762614 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1908-1) 762618 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1904-1) 6276533 Debian Security Update for linux (CVE-2026-46333) 6277424 Debian Security Update for linux (CVE-2026-46333) 288719 Fedora Security Update for kernel (FEDORA-2026-8b4a8d18d2) 288720 Fedora Security Update for kernel (FEDORA-2026-03be3dc34b) CVE-2026-46333 mitigant information: A brief about the vulnerability root-cause:  pidfd_getfd enforces access with __ptrace_may_access(target, PTRACE_MODE_ATTACH_REALCREDS). The bug skips only the dumpable branch (if (mm && …) is false when mm is NULL); the function still returns security_ptrace_access_check(task, mode), which dispatches to the YAMA LSM hook. At default ptrace_scope=1, YAMA permits access because the attacker is the parent of the SUID child it spawned. At ptrace_scope=2, YAMA requires CAP_SYS_PTRACE, which the unprivileged attacker does not have, so pidfd_getfd returns -EPERM regardless of the kernel race.  Hence, our mitigation strategy is to set kernel.yama.ptrace_scope = 2 (CAP_SYS_PTRACE required)  Subsequently, these are the current operational impacts of applying the mitigant: Non-root users cannot reliably use gdb -p, strace -p, or perf record -p against processes they did not launch via PR_SET_PTRACER Browser crash-reporter sandboxes that use cross-process ptrace may break (Firefox, Chromium handle this gracefully). Some container debug functionality, kdump userspace helpers, and Checkpoint and Restore in Userspace (criu) can potentially break. ptrace_scope is statistically non-decreasing at runtime and hence, once raised, cannot be lowered without a reboot. Discover Vulnerable CVE-2026-46333 Assets with Qualys CyberSecurity Asset Management The initial and crucial step in managing this critical vulnerability and mitigating associated risks is identifying all assets susceptible to this issue. Use CyberSecurity Asset Management 3.0 with External Attack Surface Management to identify your organization’s internet-facing instances and container/Kubernetes nodes that have vulnerable versions of CVE-2026-46333. In the following example, we aim to identify all assets running Ubuntu, Debian, and SUSE: operatingSystem.name: ["Ubuntu", "Debian", "SUSE"] CyberSecurity Asset Management maintains a catalog of hardware and software lifecycle data built and curated by a dedicated research team, covering over 5,500 software publishers and 300,000 software releases, with automated daily updates to all CyberSecurity Asset Management customers. Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate CVE-2026-46333 Qualys VMDR provides comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond, prioritize, and mitigate associated risks. Additionally, Qualys customers can leverage Qualys Patch Management to effectively remediate these vulnerabilities. Leverage the power of Qualys VMDR alongside TruRiskTM and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, including container and Kubernetes nodes, effectively addressing the vulnerabilities highlighted above. Use this QQL statement: vulnerabilities.vulnerability.cveIds:CVE-2026-46333 Automatically Patch CVE-2026-46333 with Qualys Patch Management We expect vendors to release patches for this vulnerability shortly. Qualys Patch Management can automatically deploy those patches to vulnerable assets when they become available. Customers can use the “patch now” button found to the right of the vulnerability to add the CVE-2026-46333vulnerabilityto a patch job. Once patches are released, Qualys will find the relevant patches for this vulnerability and automatically add those patches to a patch job. This will allow customers to deploy those patches to vulnerable devices, all from the Qualys platform.
    💬 Team Notes
    Article Info
    Source
    Qualys
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗