RSS

Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel

signa111 pts0 comments

CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path | Qualys

Blog Home

Table of Contents<br>What Was Found<br>Understanding the Potential Impact, Severity, and Scope<br>Coordinated Disclosure and Why We Are Publishing Now<br>Immediate Action<br>Technical Details of the CVE-2026-46333:<br>Acknowledgments<br>Qualys QID Coverage for Detecting CVE-2026-46333:<br>CVE-2026-46333 mitigant information:<br>Discover Vulnerable CVE-2026-46333 Assets with Qualys CyberSecurity Asset Management<br>Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate CVE-2026-46333

The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay.

What Was Found

During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid.

The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets:

chage (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.

ssh-keysign (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04.

pkexec (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44.

accounts-daemon (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44.

These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging.

Understanding the Potential Impact, Severity, and Scope

CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts.

Coordinated Disclosure and Why We Are Publishing Now

Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination.

A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days.

Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven,...

root qualys kernel disclosure linux local

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.