CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path

The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay.

What Was Found

During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid.

The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets:

• chage (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.
• ssh-keysign (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04.
• pkexec (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44.
• accounts-daemon (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44. 

These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging.

Understanding the Potential Impact, Severity, and Scope

CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts.

Coordinated Disclosure and Why We Are Publishing Now

Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination.

A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days. 

Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies.

Immediate Action

1. Apply the kernel update from your distribution and follow their guidelines for affected systems so the running kernel reflects the fix. Patched packages are available from Debian, Fedora, and other major vendors.
2. On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes.
3. Interim mitigation where patching must wait: raise kernel.yama.ptrace_scope to 2 (admin-only attach). This blocks the public exploits, since their pidfd_getfd(2) path is gated by __ptrace_may_access().
4. Refer to each affected distribution’s security advisory (Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others) for the authoritative fixed versions and any vendor-specific mitigations.

Technical Details of the CVE-2026-46333:

You can find the technical details of this vulnerability at:  

https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt

Acknowledgments

Qualys thanks the Linux kernel security team, in particular Linus Torvalds, Christian Brauner, Kees Cook, and Oleg Nesterov, for the rapid upstream fix; the distribution security teams, in particular Solar Designer, Sam James, and Salvatore Bonaccorso, who carried the patch downstream under unusually compressed conditions; and the maintainers of the linux-distros and oss-security lists.

Qualys QID Coverage for Detecting CVE-2026-46333:

Qualys has released the following QIDs listed in the table below with Vulnerability Signatures versions VULNSIGS-2_6_607-2, VULNSIGS-2.6.608-2, VULNSIGS-2.6.607-2, and VULNSIGS-2.6.605-7. Additional QIDs will be released as they become available.

QID	TITLE
387392	Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-46333)
6050281	Red Hat Security Advisory for CVE-2026-46333 (Unfixed Vulnerability)
6050650	Red Hat Update for kernel (RHSA-2026:19521)
6050671	Red Hat Update for kernel (RHSA-2026:19540)
944317	AlmaLinux Security Update for kernel (ALSA-2026:A009)
944318	AlmaLinux Security Update for kernel (ALSA-2026:A010)
944320	AlmaLinux Security Update for kernel (ALSA-2026:A008)
6683237	CloudLinux 8 Security Update for kernel (CLSA-2026:A008)
6683240	CloudLinux 9 Security Update for kernel (CLSA-2026:A009)
762598	SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1909-1)
762604	SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1907-1)
762614	SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1908-1)
762618	SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1904-1)
6276533	Debian Security Update for linux (CVE-2026-46333)
6277424	Debian Security Update for linux (CVE-2026-46333)
288719	Fedora Security Update for kernel (FEDORA-2026-8b4a8d18d2)
288720	Fedora Security Update for kernel (FEDORA-2026-03be3dc34b)

CVE-2026-46333 mitigant information:

A brief about the vulnerability root-cause:  pidfd_getfd enforces access with __ptrace_may_access(target, PTRACE_MODE_ATTACH_REALCREDS). The bug skips only the dumpable branch (if (mm && …) is false when mm is NULL); the function still returns security_ptrace_access_check(task, mode), which dispatches to the YAMA LSM hook. At default ptrace_scope=1, YAMA permits access because the attacker is the parent of the SUID child it spawned. At ptrace_scope=2, YAMA requires CAP_SYS_PTRACE, which the unprivileged attacker does not have, so pidfd_getfd returns -EPERM regardless of the kernel race.

 Hence, our mitigation strategy is to set kernel.yama.ptrace_scope = 2 (CAP_SYS_PTRACE required)

 Subsequently, these are the current operational impacts of applying the mitigant:

1. Non-root users cannot reliably use gdb -p, strace -p, or perf record -p against processes they did not launch via PR_SET_PTRACER
2. Browser crash-reporter sandboxes that use cross-process ptrace may break (Firefox, Chromium handle this gracefully).
3. Some container debug functionality, kdump userspace helpers, and Checkpoint and Restore in Userspace (criu) can potentially break.
4. ptrace_scope is statistically non-decreasing at runtime and hence, once raised, cannot be lowered without a reboot.

Discover Vulnerable CVE-2026-46333 Assets with Qualys CyberSecurity Asset Management

The initial and crucial step in managing this critical vulnerability and mitigating associated risks is identifying all assets susceptible to this issue. Use CyberSecurity Asset Management 3.0 with External Attack Surface Management to identify your organization’s internet-facing instances and container/Kubernetes nodes that have vulnerable versions of CVE-2026-46333.

In the following example, we aim to identify all assets running Ubuntu, Debian, and SUSE:

operatingSystem.name: ["Ubuntu", "Debian", "SUSE"]

CyberSecurity Asset Management maintains a catalog of hardware and software lifecycle data built and curated by a dedicated research team, covering over 5,500 software publishers and 300,000 software releases, with automated daily updates to all CyberSecurity Asset Management customers.

Enhancing Your Security Posture with Qualys VMDR to Detect and Remediate CVE-2026-46333

Qualys VMDR provides comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond, prioritize, and mitigate associated risks.

You can detect this vulnerability in Qualys VMDR and then check the Risk Elimination View for remediation options such as patching or mitigations, in order to take an informed remediation decision and reduce risk in your environment. Use the following QQL to find CVE-2026-46333 in your environment:

vulnerabilities.vulnerability.cveIds:CVE-2026-46333

As soon as detections are observed, you can create the Risk Elimination View and review the available remediation options.

Since a patch is available for this vulnerability, you can hit Remediate Now and deploy it directly. Based on Qualys AI-powered assessment, this patch has been marked as High Reliability, meaning you can deploy it with confidence.

If patch deployment is not immediately possible due to operational risk or pending change management approval, you can deploy a temporary mitigation to keep the vulnerability unexploitable until patching is ready.