CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path. The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel's __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay. During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets: chage (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44. ssh-keysign (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04. pkexec (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44. accounts-daemon (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44. These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive.
| Vendor | Product | Versions |
|---|---|---|
| linux | kernel | bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, bfedb589252c01fa505ac9f6f2a3d5d68d707ef4, d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12, 03eed7afbc09e061f66b448daf7863174c3dc3f3, e45692fa1aea06676449b63ef3c2b6e1e72b7578, 694a95fa6dae4991f16cda333d897ea063021fed, 4.10, v5.6-rc1 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| linux | linux | mitre_affected | 90% |
| open source | linux kernel | cert_advisory | 90% |
Updated description with detailed technical information and added new affected version v5.6-rc1 and new tags.
Updated description to include a logic bug in __ptrace_may_access() and added a new patch version along with new relevant tags.
Updated description with detailed technical information about CVE-2026-46333, changed severity to HIGH, and added relevant tags and IOC.
Updated severity to HIGH and marked the vulnerability as exploit available and actively exploited.
Updated description with details about CVE-2026-46333, added affected version 7.0.7, and changed severity to HIGH.
Initial creation
